[Pkg-utopia-maintainers] Bug#700638: CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Simon McVittie smcv at debian.org
Mon Feb 18 09:53:53 UTC 2013


On 15/02/13 17:44, I wrote:
> Severity: critical
> Justification: root security hole
>
> Sebastian Krahmer discovered and published an authentication bypass
> vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
> possible that other users of dbus-glib can be exploited in the same
> way. CVE-2013-0292 has been allocated for this vulnerability.

On 15/02/13 18:25, Simon McVittie wrote:
> I can confirm that this bug is present in the version of dbus-glib in
> squeeze, and that cherry-picking upstream commit 166978a09cf fixes it.

The debdiff I previously attached works fine on a squeeze machine. If
the distribution 'stable' in debian/changelog is OK, I can upload it at
any time; if not (e.g. if you need 'stable-security' there), there will
be a short delay while I rebuild and re-test.

> Security team: what do you want me to do about this? Should I upload
> 0.88-2.1+squeeze1 to security-master, or go through the SPU process, or
> do you want to handle it?

This question still stands.

Thanks,
    S



More information about the Pkg-utopia-maintainers mailing list