Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 07 May 2024 15:16:56 +0100
From: Philip Withnall <philip@...nocode.co.uk>
To: oss-security@...ts.openwall.com
Subject: GLib (2.26.0+): GDBus signal subscriptions for well-known names are
 vulnerable to unicast spoofing

Hello,

A series of related security fixes for how signal subscriptions are
handled in GDBus have just landed in GLib. They have been assigned CVE-
2024-34397:

 * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4038 (changes
on main)
 * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039 (trivial
backport to glib-2-80)
 * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4040 (non-
trivial backport to glib-2-78)

There is a related fix in gnome-shell which distributions should
cherry-pick at the same time, to avoid a regression in screen recording
support in gnome-shell 3.38 and newer:

 * https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3303
(changes on main)
 * Backports to older versions of gnome-shell are not available yet

When a GDBus-based client subscribes to signals from a trusted system
service such as NetworkManager or logind on a shared computer, other
users of the same computer can send spoofed D-Bus signals that the
GDBus-based client will wrongly interpret as having been sent by the
trusted system service. This could lead to the GDBus-based client
behaving incorrectly, with an application-dependent impact.
Distributors are advised to cherry-pick these changes into their GLib
packages ASAP.

This issue has likely existed since GDBus was first introduced in GLib
2.26, although this lower bound has not been verified. The issue has
been verified to exist in at least GLib 2.66, 2.74, 2.78 (<2.78.5) and
2.80 (<2.80.1).

Per GLib’s support policy, the fixes have not been backported to glib-
2-76 or earlier.

Philip

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.