An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.
Weakness
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Glib | Gnome | * | 2.78.5 (excluding) |
| Glib | Gnome | 2.79.0 (including) | 2.80.1 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | glib2-0:2.56.4-166.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | glib2-0:2.56.4-8.el8_2.2 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | glib2-0:2.56.4-10.el8_4.2 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | glib2-0:2.56.4-10.el8_4.2 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | glib2-0:2.56.4-158.el8_6.2 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | glib2-0:2.56.4-158.el8_6.2 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | glib2-0:2.56.4-158.el8_6.2 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | glib2-0:2.56.4-162.el8_8 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | glib2-0:2.56.4-162.el8_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | rhel9/toolbox:9.4-12.1725906880 | * |
| Red Hat Enterprise Linux 9 | RedHat | ubi9/toolbox:9.4-12.1725906880 | * |
| Red Hat Enterprise Linux 9 | RedHat | glib2-0:2.68.4-14.el9_4.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | mingw-glib2-0:2.78.6-1.el9 | * |
| Red Hat Enterprise Linux 9 | RedHat | glib2-0:2.68.4-14.el9_4.1 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | glib2-0:2.68.4-7.el9_2 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-config-sync-rhel9:1.4.7-3 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-flow-collector-rhel9:1.4.7-3 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-operator-bundle:1.4.7-4 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-router-rhel9:2.4.3-7 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-service-controller-rhel9:1.4.7-3 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-site-controller-rhel9:1.4.7-3 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-config-sync-rhel9:1.4.7-2 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-flow-collector-rhel9:1.4.7-2 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-operator-bundle:1.4.7-2 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-router-rhel9:2.4.3-6 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-service-controller-rhel9:1.4.7-2 | * |
| Service Interconnect 1.4 for RHEL 9 | RedHat | service-interconnect/skupper-site-controller-rhel9:1.4.7-2 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-config-sync-rhel9:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-controller-podman-rhel9:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-flow-collector-rhel9:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-operator-bundle:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-router-rhel9:2.5.3-6 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-service-controller-rhel9:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-site-controller-rhel9:1.5.5-4 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-config-sync-rhel9:1.5.5-3 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-3 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-controller-podman-rhel9:1.5.5-3 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-flow-collector-rhel9:1.5.5-3 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-operator-bundle:1.5.5-3 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-router-rhel9:2.5.3-5 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-service-controller-rhel9:1.5.5-3 | * |
| Service Interconnect 1 for RHEL 9 | RedHat | service-interconnect/skupper-site-controller-rhel9:1.5.5-3 | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-agent-rhel8:sha256:a891aa3f77d70d9d7966dfc71ff9087f45deb95d3025072da96a3ec5220db1f3 | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-all-in-one-rhel8:sha256:3b00e2fec645e140fa304e5823bcb1d0fcd1ddac7f4cbf6e9a9c0fbeaf29682d | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-collector-rhel8:sha256:a15009fde9c0a63168d82fb07363d2c6ce05f2096dc1a9992a09fe1d76bcf4a7 | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-es-index-cleaner-rhel8:sha256:3d98512aaa924e0e1c9f3b5ab6b405cb4f4a3f3b5225aefa54f1b2abfbe3d769 | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-es-rollover-rhel8:sha256:fe1c8fe5bdc4114a4718812d718fc6b913465e23fd39cf6aa05acb352bd80874 | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-ingester-rhel8:sha256:2e6d535aa3208ca8ae1bc588393c8bc499c4bfb452aceca047523502ddffa0ed | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-operator-bundle:sha256:be3feca3b19ac609e5ef829887b6d03ca3c504163ed0f9e10b2410cdfb175b72 | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-query-rhel8:sha256:8fce6e29d98acc1dd0a832cdb5c913af3edd65b81b2968fbdbf8ab434d82fe1e | * |
| Red Hat OpenShift distributed tracing 3.6.0 | RedHat | rhosdt/jaeger-rhel8-operator:sha256:6f3b7f23a515ac140bdad844d60d96fecc79835a75b1d29a70f66df737f1b50c | * |
| Glib2.0 | Ubuntu | devel | * |
| Glib2.0 | Ubuntu | esm-infra/focal | * |
| Glib2.0 | Ubuntu | focal | * |
| Glib2.0 | Ubuntu | jammy | * |
| Glib2.0 | Ubuntu | mantic | * |
| Glib2.0 | Ubuntu | noble | * |
| Glib2.0 | Ubuntu | oracular | * |
| Glib2.0 | Ubuntu | plucky | * |
| Glib2.0 | Ubuntu | questing | * |
| Glib2.0 | Ubuntu | trusty/esm | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/459.html
- https://cwe.mitre.org/data/definitions/461.html
- https://cwe.mitre.org/data/definitions/473.html
- https://cwe.mitre.org/data/definitions/476.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/667.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://gitlab.gnome.org/GNOME/glib/-/issues/3268
- https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/
- https://security.netapp.com/advisory/ntap-20240531-0008/
- https://www.openwall.com/lists/oss-security/2024/05/07/5
- https://gitlab.gnome.org/GNOME/glib/-/issues/3268
- https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/
- https://security.netapp.com/advisory/ntap-20240531-0008/
- https://www.openwall.com/lists/oss-security/2024/05/07/5