GLib (2.26.0+): GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing

[Philip Withnall <philip () tecnocode co uk>]

Hello,

A series of related security fixes for how signal subscriptions are
handled in GDBus have just landed in GLib. They have been assigned CVE-
2024-34397:

 * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4038 (changes
on main)
 * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039 (trivial
backport to glib-2-80)
 * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4040 (non-
trivial backport to glib-2-78)

There is a related fix in gnome-shell which distributions should
cherry-pick at the same time, to avoid a regression in screen recording
support in gnome-shell 3.38 and newer:

 * https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3303
(changes on main)
 * Backports to older versions of gnome-shell are not available yet

When a GDBus-based client subscribes to signals from a trusted system
service such as NetworkManager or logind on a shared computer, other
users of the same computer can send spoofed D-Bus signals that the
GDBus-based client will wrongly interpret as having been sent by the
trusted system service. This could lead to the GDBus-based client
behaving incorrectly, with an application-dependent impact.
Distributors are advised to cherry-pick these changes into their GLib
packages ASAP.

This issue has likely existed since GDBus was first introduced in GLib
2.26, although this lower bound has not been verified. The issue has
been verified to exist in at least GLib 2.66, 2.74, 2.78 (<2.78.5) and
2.80 (<2.80.1).

Per GLib’s support policy, the fixes have not been backported to glib-
2-76 or earlier.

Philip

Attachment: signature.asc
Description: This is a digitally signed message part