1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202406-01 ] GLib: Privilege Escalation

    From glsamaker@gentoo.org@21:1/5 to All on Sat Jun 22 09:00:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202406-01
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: GLib: Privilege Escalation
    Date: June 22, 2024
    Bugs: #931507
    ID: 202406-01

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in GLib, which can lead to privilege escalation.

    Background
    ==========

    GLib is a library providing a number of GNOME's core objects and
    functions.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------- ------------ ------------
    dev-libs/glib < 2.78.6 >= 2.78.6

    Description
    ===========

    A vulnerability has been discovered in GLib. Please review the CVE
    identifier referenced below for details.

    Impact
    ======

    When a GDBus-based client subscribes to signals from a trusted system
    service such as NetworkManager or logind on a shared computer, other
    users of the same computer can send spoofed D-Bus signals that the
    GDBus-based client will wrongly interpret as having been sent by the
    trusted system service. This could lead to the GDBus-based client
    behaving incorrectly, with an application-dependent impact.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All GLib users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.78.6"

    References
    ==========

    [ 1 ] CVE-2024-34397
    https://nvd.nist.gov/vuln/detail/CVE-2024-34397

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202406-01

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmZ2c2sACgkQFMQkOaVy +9kZnRAAifu9N+AftRjC73jXr64EhugHQ5P/SGnRCQdR85nlxL5xzGK0xqJmDErt ilBXrsYh/pqidquWh4rZn9xKxkQyqI7jAegwdaYB3yfQb/VUwWXz/iPvhtB0hTIh n7sBkzdDuGJcc3sYudqSeC8pseBubLAStBhK4dS8aFdbxtdmfRPCy1m8bryNVo4n 2pnsLP3r3Bz2F3D5SacHl6xPINzimWd6KN8iFebWAjV6m4FS2/Vk9MvtDjLYzgoJ ArWh0KlJ/nc727og9WxS7bP6NpLaWmjF9AyC62uuhJ3FKXaT7Wosr/PwG33OKI2X K3GOc88E1zVFHJl63DWmcu8poMh5AEKlBI2WpbMp4pitIpVzZnhO76iAJxbauw3s rjiJthhadPfmxAoykKuKNfab1KUXbmWE5ryHSYirMIJLRDUahRRYkNteme5Lpm8b /sedPooTyTwdX/wEXWdvYRGLpqYQrmRBxEMMBCYid/6sU+c52XYecit48nkoNpH3 yEsBDO32kUJpFDYTG/ggN9fMFA/eCzfk5H1OzAbPrLO9BNy4U11WdtPkeSkc1acW GAIUTCfeQtPIgmpLY5JqDeggP/7nnbWanZ8PoWK3YkCCTCv4inUrVjZXam/8HtdZ W9HO7SkXWVFemMk/jJxD05ZjOd7kOIUvYa35P0WaTivhATUoNYc=
    =/aBo
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)