what you don't know can hurt you
Showing 1 - 6 of 6 RSS Feed

CVE-2012-3524

Status Candidate

Overview

libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."

Related Files

Gentoo Linux Security Advisory 201406-01
Posted Jun 1, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201406-1 - A vulnerability has been found in D-Bus which allows local attackers to gain escalated privileges. Versions less than 1.6.8 are affected.

tags | advisory, local
systems | linux, gentoo
advisories | CVE-2012-3524
MD5 | 44113ad57857d3f40edbea219353e094
Mandriva Linux Security Advisory 2013-083
Posted Apr 10, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-083 - It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilizes dbus via glib, a local user could gain escalated privileges with a specially crafted environment. This is related to a similar issue with dbus. This updated version of glib adds appropriate protection against such scenarios and also adds additional hardening when used in a setuid environment.

tags | advisory, local
systems | linux, mandriva
advisories | CVE-2012-3524
MD5 | 468b28886524ae6dcc7e479e049b7854
Mandriva Linux Security Advisory 2013-070
Posted Apr 8, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-070 - It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus).

tags | advisory, local
systems | linux, mandriva
advisories | CVE-2012-3524
MD5 | 94bc887399db30eff5d355ba858395bd
Ubuntu Security Notice USN-1576-2
Posted Oct 5, 2012
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1576-2 - USN-1576-1 fixed vulnerabilities in DBus. The update caused a regression for certain services launched from the activation helper, and caused an unclean shutdown on upgrade. This update fixes the problem. Sebastian Krahmer discovered that DBus incorrectly handled environment variables when running with elevated privileges. A local attacker could possibly exploit this flaw with a setuid binary and gain root privileges. Various other issues were also addressed.

tags | advisory, local, root, vulnerability
systems | linux, ubuntu
advisories | CVE-2012-3524
MD5 | e9db60d1c2adbc142544ea5f2ab9c224
Ubuntu Security Notice USN-1576-1
Posted Sep 20, 2012
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1576-1 - Sebastian Krahmer discovered that DBus incorrectly handled environment variables when running with elevated privileges. A local attacker could possibly exploit this flaw with a setuid binary and gain root privileges.

tags | advisory, local, root
systems | linux, ubuntu
advisories | CVE-2012-3524
MD5 | cb86b09af16c3fba0f63cfb9e4776837
Red Hat Security Advisory 2012-1261-01
Posted Sep 14, 2012
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1261-01 - D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library. Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities; however, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2012-3524
MD5 | efab661fc9f2268704595db2dedf1d34
Page 1 of 1
Back1Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    2 Files
  • 23
    Oct 23rd
    10 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close