Bug 2279632 (CVE-2024-34397) - CVE-2024-34397 glib2: Signal subscription vulnerabilities
Summary: CVE-2024-34397 glib2: Signal subscription vulnerabilities
Keywords:
Status: NEW
Alias: CVE-2024-34397
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2279637 2279638 2279639 2279640 2279641 2279642
Blocks: 2279633
TreeView+ depends on / blocked
 
Reported: 2024-05-07 19:59 UTC by Zack Miele
Modified: 2024-10-04 23:53 UTC (History)
38 users (show)

Fixed In Version: glib 2.78.5, glib 2.80.1, glib 2.81.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GNOME GLib. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This issue could lead to the GDBus-based client behaving incorrectly with an application-dependent impact.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:6472 0 None None None 2024-09-09 05:47:33 UTC
Red Hat Product Errata RHBA-2024:6475 0 None None None 2024-09-09 06:21:57 UTC
Red Hat Product Errata RHBA-2024:6504 0 None None None 2024-09-09 16:06:32 UTC
Red Hat Product Errata RHBA-2024:6513 0 None None None 2024-09-09 18:41:56 UTC
Red Hat Product Errata RHBA-2024:6539 0 None None None 2024-09-10 15:34:36 UTC
Red Hat Product Errata RHBA-2024:6541 0 None None None 2024-09-10 14:41:37 UTC
Red Hat Product Errata RHBA-2024:6542 0 None None None 2024-09-10 14:42:01 UTC
Red Hat Product Errata RHBA-2024:6543 0 None None None 2024-09-10 14:42:44 UTC
Red Hat Product Errata RHBA-2024:6544 0 None None None 2024-09-10 14:44:55 UTC
Red Hat Product Errata RHBA-2024:6546 0 None None None 2024-09-10 14:44:21 UTC
Red Hat Product Errata RHBA-2024:6605 0 None None None 2024-09-11 14:45:31 UTC
Red Hat Product Errata RHBA-2024:6651 0 None None None 2024-09-12 14:37:57 UTC
Red Hat Product Errata RHBA-2024:6696 0 None None None 2024-09-16 14:05:34 UTC
Red Hat Product Errata RHBA-2024:6724 0 None None None 2024-09-17 11:26:59 UTC
Red Hat Product Errata RHBA-2024:6750 0 None None None 2024-09-18 06:51:37 UTC
Red Hat Product Errata RHBA-2024:6828 0 None None None 2024-09-19 07:45:49 UTC
Red Hat Product Errata RHBA-2024:6856 0 None None None 2024-09-19 14:04:40 UTC
Red Hat Product Errata RHBA-2024:6858 0 None None None 2024-09-19 14:13:40 UTC
Red Hat Product Errata RHBA-2024:6859 0 None None None 2024-09-19 14:12:21 UTC
Red Hat Product Errata RHBA-2024:6860 0 None None None 2024-09-19 14:19:29 UTC
Red Hat Product Errata RHBA-2024:6861 0 None None None 2024-09-19 14:26:16 UTC
Red Hat Product Errata RHBA-2024:6863 0 None None None 2024-09-19 14:20:04 UTC
Red Hat Product Errata RHBA-2024:7048 0 None None None 2024-09-24 11:59:38 UTC
Red Hat Product Errata RHBA-2024:7080 0 None None None 2024-09-24 19:44:17 UTC
Red Hat Product Errata RHSA-2024:6464 0 None None None 2024-09-09 02:18:15 UTC
Red Hat Product Errata RHSA-2024:7213 0 None None None 2024-09-26 13:28:47 UTC
Red Hat Product Errata RHSA-2024:7374 0 None None None 2024-09-30 10:26:12 UTC

Description Zack Miele 2024-05-07 19:59:58 UTC
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

Comment 1 Zack Miele 2024-05-07 20:06:57 UTC
Created glib2 tracking bugs for this issue:

Affects: fedora-38 [bug 2279638]
Affects: fedora-39 [bug 2279640]
Affects: fedora-40 [bug 2279637]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-38 [bug 2279639]
Affects: fedora-39 [bug 2279641]
Affects: fedora-40 [bug 2279642]

Comment 5 errata-xmlrpc 2024-09-09 02:18:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6464 https://access.redhat.com/errata/RHSA-2024:6464

Comment 6 errata-xmlrpc 2024-09-26 13:28:44 UTC
This issue has been addressed in the following products:

  Service Interconnect 1.4 for RHEL 9

Via RHSA-2024:7213 https://access.redhat.com/errata/RHSA-2024:7213

Comment 7 errata-xmlrpc 2024-09-30 10:26:10 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:7374 https://access.redhat.com/errata/RHSA-2024:7374


Note You need to log in before you can comment on or make changes to this bug.