Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.870830
Category:Red Hat Local Security Checks
Title:RedHat Update for dbus RHSA-2012:1261-01
Summary:The remote host is missing an update for the 'dbus'; package(s) announced via the referenced advisory.
Description:Summary:
The remote host is missing an update for the 'dbus'
package(s) announced via the referenced advisory.

Vulnerability Insight:
D-Bus is a system for sending messages between applications. It is used for
the system-wide message bus service and as a per-user-login-session
messaging facility.

It was discovered that the D-Bus library honored environment settings even
when running with elevated privileges. A local attacker could possibly use
this flaw to escalate their privileges, by setting specific environment
variables before running a setuid or setgid application linked against the
D-Bus library (libdbus). (CVE-2012-3524)

Note: With this update, libdbus ignores environment variables when used by
setuid or setgid applications. The environment is not ignored when an
application gains privileges via file system capabilities. However, no
application shipped in Red Hat Enterprise Linux 6 gains privileges via file
system capabilities.

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.

All users are advised to upgrade to these updated packages, which contain a
backported patch to correct this issue. For the update to take effect, all
running instances of dbus-daemon and all running applications using the
libdbus library must be restarted, or the system rebooted.

Affected Software/OS:
dbus on Red Hat Enterprise Linux Desktop (v. 6),
Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Workstation (v. 6)

Solution:
Please Install the Updated Packages.

CVSS Score:
6.9

CVSS Vector:
AV:L/AC:M/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2012-3524
BugTraq ID: 55517
http://www.securityfocus.com/bid/55517
http://www.exploit-db.com/exploits/21323
http://www.mandriva.com/security/advisories?name=MDVSA-2013:070
http://www.mandriva.com/security/advisories?name=MDVSA-2013:083
http://stealth.openwall.net/null/dzug.c
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
http://www.openwall.com/lists/oss-security/2012/07/10/4
http://www.openwall.com/lists/oss-security/2012/07/26/1
http://www.openwall.com/lists/oss-security/2012/09/12/6
http://www.openwall.com/lists/oss-security/2012/09/14/2
http://www.openwall.com/lists/oss-security/2012/09/17/2
RedHat Security Advisories: RHSA-2012:1261
http://rhn.redhat.com/errata/RHSA-2012-1261.html
http://secunia.com/advisories/50537
http://secunia.com/advisories/50544
http://secunia.com/advisories/50710
SuSE Security Announcement: SUSE-SU-2012:1155 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00009.html
SuSE Security Announcement: SUSE-SU-2012:1155-2 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00015.html
SuSE Security Announcement: openSUSE-SU-2012:1287 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00000.html
SuSE Security Announcement: openSUSE-SU-2012:1418 (Google Search)
http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html
http://www.ubuntu.com/usn/USN-1576-1
http://www.ubuntu.com/usn/USN-1576-2
CopyrightCopyright (c) 2012 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.