oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

subscription-manager: CVE-2017-2663 unsafe dbus interface

From: Cedric Buissart <cbuissar () redhat com>
Date: Tue, 21 Mar 2017 20:34:17 +0100
Hi,

CVE-2017-2663 has been assigned for the following issue :

Subscription-manager's new DBus interface provides methods that can be used
for malicious usage. It allows an unprivileged local user to have access to
information known to root only, and/or to modify subscription-manager
configuration file, allowing, for example, privilege escalation.

-> Upstream patch :
 * Lock down Facts object to be accessible to root only.
https://github.com/candlepin/subscription-manager/commit/882bb587a
-> Followed by this one :
 * 1434094: Deny D-BUS Config.Set from non-root
https://github.com/candlepin/subscription-manager/commit/afa0f7afee

Affected versions : from subscription-manager-1.19.0-1 (information
disclosure) & subscription-manager-1.19.3-1 (configuration modification)

Fixed version : subscription-manager-1.19.4-1


Thanks,

-- 
Cedric Buissart,
Product Security
Previous By Date Next
Previous By Thread Next

Current thread: