REDHAT-BUG-585394
First published: Fri Apr 23 2010(Updated: )
The desktop team recently discovered a flaw in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it. I have a patch for dbus-glib (attached). However, due to the nature of the way dbus-glib works where at build time services generate a C data structure from XML and embed it into their binary, affected services will need to be rebuilt (though not patched). This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager. KNOWN AFFECTED SERVICES: * DeviceKit-Power * NetworkManager * ModemManager KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties: * ConsoleKit (it denies all Properties access using dbus policy) * gdm (ditto) * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY) KNOWN NOT AFFECTED (because I audited them) * gnome-panel (no dbus properties) * gnome-system-monitor (ditto) PROBABLY NOT AFFECTED * hal (doesn't claim to handle org.freedesktop.DBus.Properties) * polkit (uses eggdbus) * rtkit (doesn't use dbus-glib) * DeviceKit-disks (all its properties appear to be readonly) * wpa_supplicant (doesn't implement Properties) * upstart (doesn't use dbus-glib)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CentOS D-Bus GLib | ||
| NetworkManager | ||
| freedesktop DeviceKit-Power | ||
| ModemManager |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=408742&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=408742&action=edit
- https://access.redhat.com/security/cve/CVE-2010-1172
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=409584&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=409584&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437622&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437622&action=edit
- https://rhn.redhat.com/errata/RHSA-2010-0616.html
- https://bugzilla.redhat.com/show_bug.cgi?id=585394
Frequently Asked Questions
What is the severity of REDHAT-BUG-585394?
The severity of REDHAT-BUG-585394 is considered high due to its potential to allow unauthorized modification of system properties.
How do I fix REDHAT-BUG-585394?
To fix REDHAT-BUG-585394, update to the latest version of dbus-glib and ensure that access flags are correctly enforced.
What vulnerable components are affected by REDHAT-BUG-585394?
The components affected by REDHAT-BUG-585394 include dbus-glib, NetworkManager, DeviceKit-Power, and ModemManager.
How does REDHAT-BUG-585394 impact system security?
REDHAT-BUG-585394 impacts system security by allowing unauthorized processes to modify properties that should be restricted.
Is there a workaround for REDHAT-BUG-585394?
A potential workaround for REDHAT-BUG-585394 is to manually restrict access to sensitive properties until an update can be applied.
- agent/type
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-1172
- agent/first-publish-date
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/freedesktop
- canonical/centos d-bus glib
- canonical/networkmanager
- canonical/freedesktop devicekit-power
- canonical/modemmanager