Bug#700638: marked as done (CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1)

Mon, 18 Feb 2013 09:51:18 -0800 

Your message dated Mon, 18 Feb 2013 17:47:05 +0000
with message-id <e1u7unx-0005vt...@franck.debian.org>
and subject line Bug#700638: fixed in dbus-glib 0.88-2.1+squeeze1
has caused the Debian Bug report #700638,
regarding CVE-2013-0292: authentication bypass due to insufficient checks in 
dbus-glib < 0.100.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
700638: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700638
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package: libdbus-glib-1-2
Version: 0.100-1
Severity: critical
Tags: upstream patch security
Justification: root security hole
Control: fixed -1 0.100.1-1

Sebastian Krahmer discovered and published an authentication bypass
vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
possible that other users of dbus-glib can be exploited in the same
way. CVE-2013-0292 has been allocated for this vulnerability.

I've just released 0.100.1 upstream and uploaded it to unstable: fixing
this was the only change.

pam_fprintd is not present in stable or oldstable, but I'll check whether
this bug was present in those versions of dbus-glib, in case there are other
exploitation vectors.

    S

- -- System Information:
Debian Release: 7.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 
'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdbus-glib-1-2 depends on:
ii  libc6              2.13-38
ii  libdbus-1-3        1.6.8-1
ii  libglib2.0-0       2.33.12+really2.32.4-5
ii  multiarch-support  2.13-38

libdbus-glib-1-2 recommends no packages.

libdbus-glib-1-2 suggests no packages.

- -- no debconf information
-----BEGIN PGP SIGNATURE-----

iQIVAwUBUR50CE3o/ypjx8yQAQid6BAAiiRVd0KBlMPSqXVoGukxVsBfotAtU4jt
Bfl/3Uvz93lxCniRDY64G3yc1PzEAVjLDPEOZMEENBbcP4lahFIuGJ3n0DwP1Kem
cdx5DyW2fgZn81sw3bZCS8fsyqZFRH5xzg2xTgEOENtfklSQRNCiFeown7mJiFpN
BMqlaLfMJj0Scu6lOsR/b4ApeYAZglbGYFfwTzEuXeXyn/wWP4k9mUq1zJwqUyYw
v0WH8tMrG/HxsS3cz9c/TBCPqoyiKkaW3dkidOQSWletzpD2T+tWo+/Zkek+xqwS
6//UCIyj3vrCHUaRbmq2yr/COkHY2gGTibqcz2kRk6HlZUamqey9FCbVHuHpCDAp
uFukgxVxAmvAHpVoqb0WDxVMpu0pGbn5x8n4C70ZNBpe923QP0bTDYuDMysTECQY
TmLa3TGpwdJbpDOLtlO2EcnTHyeuuJNfQ+6BxqNBz5v+hDOVswp48Ogs/ybjTGXQ
sABQW1/obIVRnOhtQxW3Pe8I6zJc/1rN7f/4VUVobxSrjWAq6V3huvFvdRH+Kydf
uRIa9TC34qACaN4kWVzfGcLuFrbabOziqFmjTx1thudSB00A5aaA5XH0ZV9m3+dm
3iluTSf7cmOSJRV7SGYyhzff9ro/Omv6l5HjH6zjhi8azNY0V4oJ8z5Cl6V92JNu
G3pb4/1IVW4=
=UmVJ
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: dbus-glib
Source-Version: 0.88-2.1+squeeze1

We believe that the bug you reported is fixed in the latest version of
dbus-glib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated dbus-glib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Feb 2013 17:58:34 +0000
Source: dbus-glib
Binary: libdbus-glib-1-dev libdbus-glib-1-2 libdbus-glib-1-doc 
libdbus-glib-1-2-dbg
Architecture: source all amd64
Version: 0.88-2.1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Utopia Maintenance Team 
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description: 
 libdbus-glib-1-2 - simple interprocess messaging system (GLib-based shared 
library)
 libdbus-glib-1-2-dbg - simple interprocess messaging system (GLib library 
debug symbols)
 libdbus-glib-1-dev - simple interprocess messaging system (GLib interface)
 libdbus-glib-1-doc - simple interprocess messaging system (GLib library 
documentation)
Closes: 700638
Changes: 
 dbus-glib (0.88-2.1+squeeze1) stable; urgency=low
 .
   * Apply patch from upstream 0.100.1 to fix insufficient checking
     leading to authentication bypass in pam_fprintd (CVE-2013-0292)
     (Closes: #700638)
Checksums-Sha1: 
 4066be1400dc0d9eed0ca853206850fad495f3e1 2171 dbus-glib_0.88-2.1+squeeze1.dsc
 d13366afbdb130a8e515ed1af515d86a4be6dca2 19577 
dbus-glib_0.88-2.1+squeeze1.diff.gz
 c3b9543727e6c278f134aae67890fe2051a4fa5f 149698 
libdbus-glib-1-doc_0.88-2.1+squeeze1_all.deb
 99d5c1b9f04b79e3561a8c5dac309f6415a9b7ab 225884 
libdbus-glib-1-dev_0.88-2.1+squeeze1_amd64.deb
 b80b4e94d00a45c8eb6cf35b023ec4c5ca84f951 172742 
libdbus-glib-1-2_0.88-2.1+squeeze1_amd64.deb
 d3be6f5d48aec206db93cf7400191d2a61200424 277114 
libdbus-glib-1-2-dbg_0.88-2.1+squeeze1_amd64.deb
Checksums-Sha256: 
 06b96c903563ad13183779a21d247939a1f2957c22d87f18c381ed9bfc18c84b 2171 
dbus-glib_0.88-2.1+squeeze1.dsc
 7a678a82c2021ecec5e5c6b336a369cff41484b49ef26b0bb8c5df3414345119 19577 
dbus-glib_0.88-2.1+squeeze1.diff.gz
 e4ff3a05deead6bfd2045e4c60491208d635e268f8d4fde1d99faabd8a53353c 149698 
libdbus-glib-1-doc_0.88-2.1+squeeze1_all.deb
 548e8974126ed894cdc5ef1e7a4b719e7e45fda5511301f5b851e9359567c8ec 225884 
libdbus-glib-1-dev_0.88-2.1+squeeze1_amd64.deb
 07d7ab68a257b382b426b82f35da312de858f09154499eacc3f2a6022ebe850e 172742 
libdbus-glib-1-2_0.88-2.1+squeeze1_amd64.deb
 c40c9d3019b933160f9ac973b6467ed9635acf9f270b0de494567e3a83f1121c 277114 
libdbus-glib-1-2-dbg_0.88-2.1+squeeze1_amd64.deb
Files: 
 bd836fb9d50c92425cf201975c9a1f25 2171 devel optional 
dbus-glib_0.88-2.1+squeeze1.dsc
 0df12e84015e72bbe74cbcf26b123bfe 19577 devel optional 
dbus-glib_0.88-2.1+squeeze1.diff.gz
 441e1803e5a48b0ff833a9aee534c17a 149698 doc optional 
libdbus-glib-1-doc_0.88-2.1+squeeze1_all.deb
 f8c456b66ffc252af7f3b8534baa5911 225884 libdevel optional 
libdbus-glib-1-dev_0.88-2.1+squeeze1_amd64.deb
 ec810b7bcbcf7e9000b32aac87073c12 172742 libs optional 
libdbus-glib-1-2_0.88-2.1+squeeze1_amd64.deb
 42ed6b4f02e9581eda93b9459f061e59 277114 debug extra 
libdbus-glib-1-2-dbg_0.88-2.1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUSJQZU3o/ypjx8yQAQh7KA/+LoSGXaqKPE/gFj/ipKb3Py6YgTCw5FWx
C+jBiGrxdhbRAyO+34VNttbwTzYYlm59ldDDZt3DoXValKttXu6r8snEfodltLxw
C22utI27ZvnHkEPfZ3BNTlHafiahmQif56mYBSVqThd8SzEHfiZQzDLh82Vzx+3i
sGq9Y7t5I9xCQ1u6RsSHYatDCDLs86IKlDQj5rt8doGbdBo3qSNW7ZpIvNy6VJBX
ZjyHyWZvYxwRIz5TItoPv+JIEmPY1e1BXI2LKoT42qJLqGWTl0QVovUwWuh3i0VK
9BT4DLwuaw9yoJRmvpd1yFJ14JhPDP/dLPfbUrQTX6p9p0LcY7w+QjMz0h9mjdAX
8QZ3tvY3mFe27v35fQKouiolZZvE2DN1bNu/0VRlwyywqCz0y092wNQjFUsfKEmq
7CJF9qA4zEKGJEqLg4UKH/GRCxmkZ6OOxw/QrVt8U+r7Zwd0gNYCcQwkTggXYdIz
RNnTflnKEYPN4AjRyCLNgFpN+FYEX9ly6RT6Y/r2eMq9FOylhckzmHG/Lntgau7/
o1QeG+jraPNvH2Ne6TZumbGHyYkSZ5by8LVYH6/tXudWOIqN/H5o7khu2w8gqeRU
3frZpMDypbonl5Lg00sVkakHMJi4evXLUDVpTVCv4WnGxHiuNPE8mJe+0Ocl+LWR
C20hKMAza58=
=Wcu0
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to