Subscription-manager's new DBus interface allows unprivileged local user to have access to information known to root only, and/or to modify subscription-manager configuration file. An attacker could use this flaw to escalate its privileges, or to gain access to private information. Commit enabling the dbus interface (subscription-manager-1.19.0) : https://github.com/candlepin/subscription-manager/commit/2aa48ef65
Required patches : * Lock down Facts object to be accessible to root only. https://github.com/candlepin/subscription-manager/commit/882bb587a * 1434094: Deny D-BUS Config.Set from non-root https://github.com/candlepin/subscription-manager/commit/afa0f7afee
Created subscription-manager tracking bugs for this issue: Affects: fedora-all [bug 1434493]
Statement: This issue did not affect the versions of subscription-manager as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for the DBus interface.
Acknowledgments: Name: Cedric Buissart (Red Hat)