Mandriva Linux Security Advisory 2013-083 - It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilizes dbus via glib, a local user could gain escalated privileges with a specially crafted environment. This is related to a similar issue with dbus. This updated version of glib adds appropriate protection against such scenarios and also adds additional hardening when used in a setuid environment.
00be062d264761ffaab6ba68820ff25e49ad0147fd9a2fcb5e84638ffc2517f0-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:083
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : glib2.0
Date : April 9, 2013
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated glib2.0 packages fix security vulnerability:
It was discovered that the version of glib shipped with MBS 1 does
not sanitise certain DBUS related environment variables. When used
in combination with a setuid application which utilises dbus via
glib, a local user could gain escalated privileges with a specially
crafted environment. This is related to a similar issue with dbus
(CVE-2012-3524).
This updated version of glib adds appropriate protection against
such scenarios and also adds additional hardening when used in a
setuid environment.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0293
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
de4094c18ae9b4513078d4ef000dd875 mbs1/x86_64/glib2.0-common-2.32.4-1.mbs1.x86_64.rpm
b2e1e347ae6d793ecb2dc9c7c980413b mbs1/x86_64/glib-gettextize-2.32.4-1.mbs1.x86_64.rpm
b7973bd0af7715153573f254fe888ff3 mbs1/x86_64/lib64gio2.0_0-2.32.4-1.mbs1.x86_64.rpm
06abc13fc1fefa27501416cd78a2daca mbs1/x86_64/lib64glib2.0_0-2.32.4-1.mbs1.x86_64.rpm
5a264af58cd6398813766213b3f644d8 mbs1/x86_64/lib64glib2.0-devel-2.32.4-1.mbs1.x86_64.rpm
513ab313c25d170152de83ae5cf9a403 mbs1/x86_64/lib64glib2.0-static-devel-2.32.4-1.mbs1.x86_64.rpm
5f1a72a5c8fecf94e5ff9d176ef79e7f mbs1/SRPMS/glib2.0-2.32.4-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRY7mDmqjQ0CJFipgRAvcXAJ4m4Z681SwmeecNwtbP77I1knMZyACgpOE+
OCpNk6uioH19jXv74MA/4Dk=
=ektN
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed