Bug 2492256 (CVE-2026-58015) - CVE-2026-58015 glib: path traversal in glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry and mechanism_client_data_receive
Summary: CVE-2026-58015 glib: path traversal in glib/gio/gdbusauthmechanismsha1.c via ...
Keywords:
Status: NEW
Alias: CVE-2026-58015
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2494882 2494884 2494883
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 17:28 UTC by OSIDB Bzimport
Modified: 2026-06-30 13:02 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 17:28:24 UTC
The GLib D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. The D-Bus specification explicitly states that cookie context names must not contain the characters /, \, . (period), spaces, or ASCII control characters. However, GLib's client-side code accepts this value verbatim and uses it to construct a filesystem path via g_build_filename(). A malicious D-Bus server can supply a cookie_context containing path traversal sequences such as ../.target_file, causing the client to read an arbitrary file outside the ~/.dbus-keyrings/ directory. The file contents (specifically the third space-separated token of the first matching line) are then incorporated into a SHA1 hash computation and sent back to the server as part of the authentication response. The server can verify guessed file contents against this SHA1 hash, enabling data exfiltration.


Note You need to log in before you can comment on or make changes to this bug.