Gentoo Linux Security Advisory 201406-1 - A vulnerability has been found in D-Bus which allows local attackers to gain escalated privileges. Versions less than 1.6.8 are affected.
b1c809471e5cf3d3ef063a3aacb2e6e405e46e5ca0d173789221c0bfb8ebfa36Mandriva Linux Security Advisory 2013-083 - It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilizes dbus via glib, a local user could gain escalated privileges with a specially crafted environment. This is related to a similar issue with dbus. This updated version of glib adds appropriate protection against such scenarios and also adds additional hardening when used in a setuid environment.
00be062d264761ffaab6ba68820ff25e49ad0147fd9a2fcb5e84638ffc2517f0Mandriva Linux Security Advisory 2013-070 - It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus).
be68e4d8fcbb964f2e7bf79d0b49910b3b2c317c298a55458504f9b0c1e13092Ubuntu Security Notice 1576-2 - USN-1576-1 fixed vulnerabilities in DBus. The update caused a regression for certain services launched from the activation helper, and caused an unclean shutdown on upgrade. This update fixes the problem. Sebastian Krahmer discovered that DBus incorrectly handled environment variables when running with elevated privileges. A local attacker could possibly exploit this flaw with a setuid binary and gain root privileges. Various other issues were also addressed.
b76b46abec3e894741300d77a561d5b8163b65ee2dd9a52368e6aafd32e9c0b1Ubuntu Security Notice 1576-1 - Sebastian Krahmer discovered that DBus incorrectly handled environment variables when running with elevated privileges. A local attacker could possibly exploit this flaw with a setuid binary and gain root privileges.
6677312994a7727ec824bb41d1b1e25edee2fe8e4e1215d98961896838ab394bRed Hat Security Advisory 2012-1261-01 - D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library. Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities; however, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities.
2fe96101f99eb2291e6510b5544d7a0828b7b2f84e24ba06f09f3b0c8005cd8a
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed