Home / mailings [RHSA-2010:0616-01] Moderate: dbus-glib security update
Posted on 10 August 2010
RedHat-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: dbus-glib security update
Advisory ID: RHSA-2010:0616-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0616.html
Issue date: 2010-08-10
CVE Names: CVE-2010-1172
=====================================================================
1. Summary:
Updated dbus-glib packages that fix one security issue are now available
for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
3. Description:
dbus-glib is an add-on library to integrate the standard D-Bus library with
the GLib main loop and threading model. NetworkManager is a network link
manager that attempts to keep a wired or wireless network connection active
at all times.
It was discovered that dbus-glib did not enforce the "access" flag on
exported GObject properties. If such a property were read/write internally
but specified as read-only externally, a malicious, local user could use
this flaw to modify that property of an application. Such a change could
impact the application's behavior (for example, if an IP address were
changed the network may not come up properly after reboot) and possibly
lead to a denial of service. (CVE-2010-1172)
Due to the way dbus-glib translates an application's XML definitions of
service interfaces and properties into C code at application build time,
applications built against dbus-glib that use read-only properties needed
to be rebuilt to fully fix the flaw. As such, this update provides
NetworkManager packages that have been rebuilt against the updated
dbus-glib packages. No other applications shipped with Red Hat Enterprise
Linux 5 were affected.
All dbus-glib and NetworkManager users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
Running instances of NetworkManager must be restarted (service
NetworkManager restart) for this update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
585394 - CVE-2010-1172 dbus-glib: property access not validated
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/NetworkManager-0.7.0-10.el5_5.1.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dbus-glib-0.73-10.el5_5.src.rpm
i386:
NetworkManager-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-gnome-0.7.0-10.el5_5.1.i386.rpm
dbus-glib-0.73-10.el5_5.i386.rpm
dbus-glib-debuginfo-0.73-10.el5_5.i386.rpm
dbus-glib-devel-0.73-10.el5_5.i386.rpm
x86_64:
NetworkManager-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-gnome-0.7.0-10.el5_5.1.x86_64.rpm
dbus-glib-0.73-10.el5_5.i386.rpm
dbus-glib-0.73-10.el5_5.x86_64.rpm
dbus-glib-debuginfo-0.73-10.el5_5.i386.rpm
dbus-glib-debuginfo-0.73-10.el5_5.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/NetworkManager-0.7.0-10.el5_5.1.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dbus-glib-0.73-10.el5_5.src.rpm
i386:
NetworkManager-debuginfo-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.i386.rpm
dbus-glib-debuginfo-0.73-10.el5_5.i386.rpm
dbus-glib-devel-0.73-10.el5_5.i386.rpm
x86_64:
NetworkManager-debuginfo-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.x86_64.rpm
dbus-glib-debuginfo-0.73-10.el5_5.i386.rpm
dbus-glib-debuginfo-0.73-10.el5_5.x86_64.rpm
dbus-glib-devel-0.73-10.el5_5.i386.rpm
dbus-glib-devel-0.73-10.el5_5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/NetworkManager-0.7.0-10.el5_5.1.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/dbus-glib-0.73-10.el5_5.src.rpm
i386:
NetworkManager-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-gnome-0.7.0-10.el5_5.1.i386.rpm
dbus-glib-0.73-10.el5_5.i386.rpm
dbus-glib-debuginfo-0.73-10.el5_5.i386.rpm
dbus-glib-devel-0.73-10.el5_5.i386.rpm
ia64:
NetworkManager-0.7.0-10.el5_5.1.ia64.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.ia64.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.ia64.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.ia64.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.ia64.rpm
NetworkManager-gnome-0.7.0-10.el5_5.1.ia64.rpm
dbus-glib-0.73-10.el5_5.ia64.rpm
dbus-glib-debuginfo-0.73-10.el5_5.ia64.rpm
dbus-glib-devel-0.73-10.el5_5.ia64.rpm
ppc:
NetworkManager-0.7.0-10.el5_5.1.ppc.rpm
NetworkManager-0.7.0-10.el5_5.1.ppc64.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.ppc.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.ppc64.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.ppc.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.ppc64.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.ppc.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.ppc64.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.ppc.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.ppc64.rpm
NetworkManager-gnome-0.7.0-10.el5_5.1.ppc.rpm
dbus-glib-0.73-10.el5_5.ppc.rpm
dbus-glib-0.73-10.el5_5.ppc64.rpm
dbus-glib-debuginfo-0.73-10.el5_5.ppc.rpm
dbus-glib-debuginfo-0.73-10.el5_5.ppc64.rpm
dbus-glib-devel-0.73-10.el5_5.ppc.rpm
dbus-glib-devel-0.73-10.el5_5.ppc64.rpm
s390x:
dbus-glib-0.73-10.el5_5.s390.rpm
dbus-glib-0.73-10.el5_5.s390x.rpm
dbus-glib-debuginfo-0.73-10.el5_5.s390.rpm
dbus-glib-debuginfo-0.73-10.el5_5.s390x.rpm
dbus-glib-devel-0.73-10.el5_5.s390.rpm
dbus-glib-devel-0.73-10.el5_5.s390x.rpm
x86_64:
NetworkManager-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-debuginfo-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-devel-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.i386.rpm
NetworkManager-glib-devel-0.7.0-10.el5_5.1.x86_64.rpm
NetworkManager-gnome-0.7.0-10.el5_5.1.x86_64.rpm
dbus-glib-0.73-10.el5_5.i386.rpm
dbus-glib-0.73-10.el5_5.x86_64.rpm
dbus-glib-debuginfo-0.73-10.el5_5.i386.rpm
dbus-glib-debuginfo-0.73-10.el5_5.x86_64.rpm
dbus-glib-devel-0.73-10.el5_5.i386.rpm
dbus-glib-devel-0.73-10.el5_5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-1172.html
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc.