[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] subscription-manager: CVE-2017-2663 unsafe dbus interface
From:       Cedric Buissart <cbuissar () redhat ! com>
Date:       2017-03-21 19:34:17
Message-ID: CAKG8Do5JY9-nP-Fqecf8dfPCO8A_ruz2Ff578thrvwYQ_D8=1A () mail ! gmail ! com
[Download RAW message or body]


Hi,

CVE-2017-2663 has been assigned for the following issue :

Subscription-manager's new DBus interface provides methods that can be used
for malicious usage. It allows an unprivileged local user to have access to
information known to root only, and/or to modify subscription-manager
configuration file, allowing, for example, privilege escalation.

-> Upstream patch :
 * Lock down Facts object to be accessible to root only.
https://github.com/candlepin/subscription-manager/commit/882bb587a
-> Followed by this one :
 * 1434094: Deny D-BUS Config.Set from non-root
https://github.com/candlepin/subscription-manager/commit/afa0f7afee

Affected versions : from subscription-manager-1.19.0-1 (information
disclosure) & subscription-manager-1.19.3-1 (configuration modification)

Fixed version : subscription-manager-1.19.4-1


Thanks,

-- 
Cedric Buissart,
Product Security


[prev in list] [next in list] [prev in thread] [next in thread]