Mageia alert MGASA-2012-0293 (glib2.0) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0293: glib2.0-2.32.4-1.1.mga2
 (2/core) 
Date:
    	       Sun, 14 Oct 2012 21:16:13 +0200
Message-ID:
    	       <20121014191613.GA902@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0293
Date: 	October 14th, 2012
Affected releases: 	2


Description:
Updated glib2.0 packages fix security vulnerability:

It was discovered that the version of glib shipped with Mageia 2 does
not sanitise certain DBUS related environment variables. When used in
combination with a setuid application which utilises dbus via glib, a
local user could gain escalated privileges with a specially crafted
environment. This is related to a similar issue with dbus.
(CVE-2012-3524)

This updated version of glib adds appropriate protection against such
scenarios and also adds additional hardening when used in a setuid
environment.


Updated Packages:
glib2.0-common-2.32.4-1.1.mga2
glib-gettextize-2.32.4-1.1.mga2
lib(64)gio2.0_0-2.32.4-1.1.mga2
lib(64)glib2.0_0-2.32.4-1.1.mga2
lib(64)glib2.0-devel-2.32.4-1.1.mga2
lib(64)glib2.0-static-devel-2.32.4-1.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524
http://lists.fedoraproject.org/pipermail/package-announce...
https://bugs.mageia.org/show_bug.cgi?id=7595
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)