 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Fri, 14 Sep 2012 16:53:27 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Synopsis: Moderate: dbus security update
Issue Date: 2012-09-13
CVE Numbers: CVE-2012-3524
It was discovered that the D-Bus library honored environment settings even
when running with elevated privileges. A local attacker could possibly use
this flaw to escalate their privileges, by setting specific environment
variables before running a setuid or setgid application linked against the
D-Bus library (libdbus). (CVE-2012-3524)
Note: With this update, libdbus ignores environment variables when used by
setuid or setgid applications. The environment is not ignored when an
application gains privileges via file system capabilities; however, no
application shipped in Red Hat Enterprise Linux 6 gains privileges via file
system capabilities.
We would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.
For the update to take effect, all running instances of dbus-daemon and
all running applications using the libdbus library must be restarted,
or the system rebooted.
SL6
x86_64
dbus-1.2.24-7.el6_3.x86_64.rpm
dbus-libs-1.2.24-7.el6_3.i686.rpm
dbus-libs-1.2.24-7.el6_3.x86_64.rpm
dbus-x11-1.2.24-7.el6_3.x86_64.rpm
dbus-devel-1.2.24-7.el6_3.i686.rpm
dbus-devel-1.2.24-7.el6_3.x86_64.rpm
i386
dbus-1.2.24-7.el6_3.i686.rpm
dbus-libs-1.2.24-7.el6_3.i686.rpm
dbus-x11-1.2.24-7.el6_3.i686.rpm
dbus-devel-1.2.24-7.el6_3.i686.rpm
noarch
dbus-doc-1.2.24-7.el6_3.noarch.rpm
- Scientific Linux Development Team
|
|
|
