[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] subscription-manager: CVE-2017-2663 unsafe dbus interface
From: Cedric Buissart <cbuissar () redhat ! com>
Date: 2017-03-21 19:34:17
Message-ID: CAKG8Do5JY9-nP-Fqecf8dfPCO8A_ruz2Ff578thrvwYQ_D8=1A () mail ! gmail ! com
[Download RAW message or body]
Hi,
CVE-2017-2663 has been assigned for the following issue :
Subscription-manager's new DBus interface provides methods that can be used
for malicious usage. It allows an unprivileged local user to have access to
information known to root only, and/or to modify subscription-manager
configuration file, allowing, for example, privilege escalation.
-> Upstream patch :
* Lock down Facts object to be accessible to root only.
https://github.com/candlepin/subscription-manager/commit/882bb587a
-> Followed by this one :
* 1434094: Deny D-BUS Config.Set from non-root
https://github.com/candlepin/subscription-manager/commit/afa0f7afee
Affected versions : from subscription-manager-1.19.0-1 (information
disclosure) & subscription-manager-1.19.3-1 (configuration modification)
Fixed version : subscription-manager-1.19.4-1
Thanks,
--
Cedric Buissart,
Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic