oss-sec mailing list archives
GLib (2.26.0+): GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing
From: Philip Withnall <philip () tecnocode co uk>
Date: Tue, 07 May 2024 15:16:56 +0100
Hello, A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib. They have been assigned CVE- 2024-34397: * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4038 (changes on main) * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039 (trivial backport to glib-2-80) * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4040 (non- trivial backport to glib-2-78) There is a related fix in gnome-shell which distributions should cherry-pick at the same time, to avoid a regression in screen recording support in gnome-shell 3.38 and newer: * https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3303 (changes on main) * Backports to older versions of gnome-shell are not available yet When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Distributors are advised to cherry-pick these changes into their GLib packages ASAP. This issue has likely existed since GDBus was first introduced in GLib 2.26, although this lower bound has not been verified. The issue has been verified to exist in at least GLib 2.66, 2.74, 2.78 (<2.78.5) and 2.80 (<2.80.1). Per GLib’s support policy, the fixes have not been backported to glib- 2-76 or earlier. Philip
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- GLib (2.26.0+): GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing Philip Withnall (May 07)