oss-sec mailing list archives
subscription-manager: CVE-2017-2663 unsafe dbus interface
From: Cedric Buissart <cbuissar () redhat com>
Date: Tue, 21 Mar 2017 20:34:17 +0100
Hi, CVE-2017-2663 has been assigned for the following issue : Subscription-manager's new DBus interface provides methods that can be used for malicious usage. It allows an unprivileged local user to have access to information known to root only, and/or to modify subscription-manager configuration file, allowing, for example, privilege escalation. -> Upstream patch : * Lock down Facts object to be accessible to root only. https://github.com/candlepin/subscription-manager/commit/882bb587a -> Followed by this one : * 1434094: Deny D-BUS Config.Set from non-root https://github.com/candlepin/subscription-manager/commit/afa0f7afee Affected versions : from subscription-manager-1.19.0-1 (information disclosure) & subscription-manager-1.19.3-1 (configuration modification) Fixed version : subscription-manager-1.19.4-1 Thanks, -- Cedric Buissart, Product Security
Current thread:
- subscription-manager: CVE-2017-2663 unsafe dbus interface Cedric Buissart (Mar 21)