[Pkg-utopia-maintainers] Bug#700638: CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Simon McVittie smcv at debian.org
Fri Feb 15 17:44:49 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package: libdbus-glib-1-2
Version: 0.100-1
Severity: critical
Tags: upstream patch security
Justification: root security hole
Control: fixed -1 0.100.1-1

Sebastian Krahmer discovered and published an authentication bypass
vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
possible that other users of dbus-glib can be exploited in the same
way. CVE-2013-0292 has been allocated for this vulnerability.

I've just released 0.100.1 upstream and uploaded it to unstable: fixing
this was the only change.

pam_fprintd is not present in stable or oldstable, but I'll check whether
this bug was present in those versions of dbus-glib, in case there are other
exploitation vectors.

    S

- -- System Information:
Debian Release: 7.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdbus-glib-1-2 depends on:
ii  libc6              2.13-38
ii  libdbus-1-3        1.6.8-1
ii  libglib2.0-0       2.33.12+really2.32.4-5
ii  multiarch-support  2.13-38

libdbus-glib-1-2 recommends no packages.

libdbus-glib-1-2 suggests no packages.

- -- no debconf information
-----BEGIN PGP SIGNATURE-----

iQIVAwUBUR50CE3o/ypjx8yQAQid6BAAiiRVd0KBlMPSqXVoGukxVsBfotAtU4jt
Bfl/3Uvz93lxCniRDY64G3yc1PzEAVjLDPEOZMEENBbcP4lahFIuGJ3n0DwP1Kem
cdx5DyW2fgZn81sw3bZCS8fsyqZFRH5xzg2xTgEOENtfklSQRNCiFeown7mJiFpN
BMqlaLfMJj0Scu6lOsR/b4ApeYAZglbGYFfwTzEuXeXyn/wWP4k9mUq1zJwqUyYw
v0WH8tMrG/HxsS3cz9c/TBCPqoyiKkaW3dkidOQSWletzpD2T+tWo+/Zkek+xqwS
6//UCIyj3vrCHUaRbmq2yr/COkHY2gGTibqcz2kRk6HlZUamqey9FCbVHuHpCDAp
uFukgxVxAmvAHpVoqb0WDxVMpu0pGbn5x8n4C70ZNBpe923QP0bTDYuDMysTECQY
TmLa3TGpwdJbpDOLtlO2EcnTHyeuuJNfQ+6BxqNBz5v+hDOVswp48Ogs/ybjTGXQ
sABQW1/obIVRnOhtQxW3Pe8I6zJc/1rN7f/4VUVobxSrjWAq6V3huvFvdRH+Kydf
uRIa9TC34qACaN4kWVzfGcLuFrbabOziqFmjTx1thudSB00A5aaA5XH0ZV9m3+dm
3iluTSf7cmOSJRV7SGYyhzff9ro/Omv6l5HjH6zjhi8azNY0V4oJ8z5Cl6V92JNu
G3pb4/1IVW4=
=UmVJ
-----END PGP SIGNATURE-----



More information about the Pkg-utopia-maintainers mailing list