Mageia alert MGASA-2012-0282 (dbus) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0282: dbus-1.4.1-3.2.mga1 (1/core),
 dbus-1.4.16-5.1.mga2 (2/core) 
Date:
    	       Sat, 6 Oct 2012 15:39:53 +0200
Message-ID:
    	       <20121006133953.GA29443@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0282
Date: 	October 6th, 2012
Affected releases: 	1, 2


Description:
Updated dbus packages fix security vulnerability:

It was discovered that the D-Bus library honored environment settings
even when running with elevated privileges. A local attacker could
possibly use this flaw to escalate their privileges, by setting specific
environment variables before running a setuid or setgid application
linked against the D-Bus library (libdbus) (CVE-2012-3524).


Updated Packages:
Mageia 1:
dbus-1.4.1-3.2.mga1
dbus-doc-1.4.1-3.2.mga1
dbus-x11-1.4.1-3.2.mga1
lib(64)dbus-1_3-1.4.1-3.2.mga1
lib(64)dbus-1-devel-1.4.1-3.2.mga1

Mageia 2:
dbus-1.4.16-5.1.mga2
dbus-x11-1.4.16-5.1.mga2
dbus-doc-1.4.16-5.1.mga2
lib(64)dbus-1-devel-1.4.16-5.1.mga2
lib(64)dbus-1_3-1.4.16-5.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524
https://rhn.redhat.com/errata/RHSA-2012-1261.html
https://bugs.mageia.org/show_bug.cgi?id=7474
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)