[gentoo-announce] [ GLSA 201706-05 ] D-Bus: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201706-05 ] D-Bus: Multiple vulnerabilities
Date:	Tue, 06 Jun 2017 08:54:17
Message-Id:	`a0439049-7d19-1d1c-8d2d-147847370d8a@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201706-05

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: D-Bus: Multiple vulnerabilities

9

     Date: June 06, 2017

10

     Bugs: #611392

11

       ID: 201706-05

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in D-Bus might allow an attacker to overwrite

19

files with a fixed filename in arbitrary directories or conduct a

20

symlink attack.

21

22

Background

23

==========

24

25

D-Bus is a message bus system which processes can use to talk to each

26

other.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  sys-apps/dbus               < 1.10.18                 >= 1.10.18

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in D-Bus. Please review

40

the original report referenced below for details.

41

42

Impact

43

======

44

45

An attacker could possibly overwrite arbitrary files named "once" with

46

content not controlled by the attacker.

47

48

A local attacker could perform a symlink attack against D-Bus' test

49

suite.

50

51

Workaround

52

==========

53

54

There is no known workaround at this time.

55

56

Resolution

57

==========

58

59

All D-Bus users should upgrade to the latest version:

60

61

  # emerge --sync

62

  # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.10.18"

63

64

References

65

==========

66

67

[ 1 ] Original report

68

      http://www.openwall.com/lists/oss-security/2017/02/16/4

69

70

Availability

71

============

72

73

This GLSA and any updates to it are available for viewing at

74

the Gentoo Security Website:

75

76

 https://security.gentoo.org/glsa/201706-05

77

78

Concerns?

79

=========

80

81

Security is a primary focus of Gentoo Linux and ensuring the

82

confidentiality and security of our users' machines is of utmost

83

importance to us. Any security concerns should be addressed to

84

security@g.o or alternatively, you may file a bug at

85

https://bugs.gentoo.org.

86

87

License

88

=======

89

90

Copyright 2017 Gentoo Foundation, Inc; referenced text

91

belongs to its owner(s).

92

93

The contents of this document are licensed under the

94

Creative Commons - Attribution / Share Alike license.

95

96

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201706-05
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: D-Bus: Multiple vulnerabilities
9	Date: June 06, 2017
10	Bugs: #611392
11	ID: 201706-05
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in D-Bus might allow an attacker to overwrite
19	files with a fixed filename in arbitrary directories or conduct a
20	symlink attack.
21
22	Background
23	==========
24
25	D-Bus is a message bus system which processes can use to talk to each
26	other.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 sys-apps/dbus < 1.10.18 >= 1.10.18
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in D-Bus. Please review
40	the original report referenced below for details.
41
42	Impact
43	======
44
45	An attacker could possibly overwrite arbitrary files named "once" with
46	content not controlled by the attacker.
47
48	A local attacker could perform a symlink attack against D-Bus' test
49	suite.
50
51	Workaround
52	==========
53
54	There is no known workaround at this time.
55
56	Resolution
57	==========
58
59	All D-Bus users should upgrade to the latest version:
60
61	# emerge --sync
62	# emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.10.18"
63
64	References
65	==========
66
67	[ 1 ] Original report
68	http://www.openwall.com/lists/oss-security/2017/02/16/4
69
70	Availability
71	============
72
73	This GLSA and any updates to it are available for viewing at
74	the Gentoo Security Website:
75
76	https://security.gentoo.org/glsa/201706-05
77
78	Concerns?
79	=========
80
81	Security is a primary focus of Gentoo Linux and ensuring the
82	confidentiality and security of our users' machines is of utmost
83	importance to us. Any security concerns should be addressed to
84	security@g.o or alternatively, you may file a bug at
85	https://bugs.gentoo.org.
86
87	License
88	=======
89
90	Copyright 2017 Gentoo Foundation, Inc; referenced text
91	belongs to its owner(s).
92
93	The contents of this document are licensed under the
94	Creative Commons - Attribution / Share Alike license.
95
96	http://creativecommons.org/licenses/by-sa/2.5