Security Advisory Moderate: dbus security update

Advisory: RHSA-2008:0159-3
Type: Security Advisory
Severity: Moderate
Issued on: 2008-02-27
Last updated on: 2008-02-27
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
OVAL: com.redhat.rhsa-20080159.xml
CVEs (cve.mitre.org): CVE-2008-0595

Details

Updated dbus packages that fix an issue with circumventing the security
policy are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

D-Bus is a system for sending messages between applications. It is used
both for the system-wide message bus service, and as a
per-user-login-session messaging facility.

Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy. A user with the ability to connect to the dbus-daemon may
be able to execute certain method calls they should normally not have
permission to access. (CVE-2008-0595)

Red Hat does not ship any applications in Red Hat Enterprise Linux 5 that
would allow a user to leverage this flaw to elevate their privileges.

This flaw does not affect the version of D-Bus shipped in Red Hat
Enterprise Linux 4.

All users are advised to upgrade to these updated dbus packages, which
contain a backported patch and are not vulnerable to this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
dbus-devel-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     2cf0e662fece89e7dbce8006f9e0b673
 
x86_64:
dbus-devel-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     2cf0e662fece89e7dbce8006f9e0b673
dbus-devel-1.0.0-6.3.el5_1.x86_64.rpm
File outdated by:  RHBA-2008:0458		     f192dd3f3c0fc9030f9c290f43545345
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
dbus-1.0.0-6.3.el5_1.src.rpm
File outdated by:  RHBA-2008:0458		     76a2a62f6701ed1cf9ae281d53b9efff
 
IA-32:
dbus-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     6cb69483368642ef2a3f37de76648fde
dbus-devel-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     2cf0e662fece89e7dbce8006f9e0b673
dbus-x11-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     5b2df2bfcbc0af1f710bc790d829db1b
 
IA-64:
dbus-1.0.0-6.3.el5_1.ia64.rpm
File outdated by:  RHBA-2008:0458		     f7e073ae8382b0bff9ce4d77bed09ac2
dbus-devel-1.0.0-6.3.el5_1.ia64.rpm
File outdated by:  RHBA-2008:0458		     834276b27edcc48ea634375e0bedb0f0
dbus-x11-1.0.0-6.3.el5_1.ia64.rpm
File outdated by:  RHBA-2008:0458		     6515681cb2a8b32d17f282847020be1b
 
PPC:
dbus-1.0.0-6.3.el5_1.ppc.rpm
File outdated by:  RHBA-2008:0458		     51d6f03c05af357409a0abec1bbe88d8
dbus-1.0.0-6.3.el5_1.ppc64.rpm
File outdated by:  RHBA-2008:0458		     b0f4b7c7ed076249477bef5f65e81136
dbus-devel-1.0.0-6.3.el5_1.ppc.rpm
File outdated by:  RHBA-2008:0458		     0cfe2166d621369b40eb467f0e1eca00
dbus-devel-1.0.0-6.3.el5_1.ppc64.rpm
File outdated by:  RHBA-2008:0458		     3f6300c9d39a0ce16556c6ed18724b86
dbus-x11-1.0.0-6.3.el5_1.ppc.rpm
File outdated by:  RHBA-2008:0458		     f67c90a248d8e96d93d1fa3f6b18e680
 
s390x:
dbus-1.0.0-6.3.el5_1.s390.rpm
File outdated by:  RHBA-2008:0458		     139319fc63412d33a9e8eb74ce60d34c
dbus-1.0.0-6.3.el5_1.s390x.rpm
File outdated by:  RHBA-2008:0458		     559492ebef39604d93e43ce8fe7cfd0e
dbus-devel-1.0.0-6.3.el5_1.s390.rpm
File outdated by:  RHBA-2008:0458		     4c24b73907c04afd6116141805662c78
dbus-devel-1.0.0-6.3.el5_1.s390x.rpm
File outdated by:  RHBA-2008:0458		     258897618002c62848d598dfced02727
dbus-x11-1.0.0-6.3.el5_1.s390x.rpm
File outdated by:  RHBA-2008:0458		     24ddffe0d36f3f69f535ec66c573eeed
 
x86_64:
dbus-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     6cb69483368642ef2a3f37de76648fde
dbus-1.0.0-6.3.el5_1.x86_64.rpm
File outdated by:  RHBA-2008:0458		     428fdb50a34eb7837f574cb86ee113f5
dbus-devel-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     2cf0e662fece89e7dbce8006f9e0b673
dbus-devel-1.0.0-6.3.el5_1.x86_64.rpm
File outdated by:  RHBA-2008:0458		     f192dd3f3c0fc9030f9c290f43545345
dbus-x11-1.0.0-6.3.el5_1.x86_64.rpm
File outdated by:  RHBA-2008:0458		     94d5bb6c26f287bc531e9883a7821e71
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
dbus-1.0.0-6.3.el5_1.src.rpm
File outdated by:  RHBA-2008:0458		     76a2a62f6701ed1cf9ae281d53b9efff
 
IA-32:
dbus-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     6cb69483368642ef2a3f37de76648fde
dbus-x11-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     5b2df2bfcbc0af1f710bc790d829db1b
 
x86_64:
dbus-1.0.0-6.3.el5_1.i386.rpm
File outdated by:  RHBA-2008:0458		     6cb69483368642ef2a3f37de76648fde
dbus-1.0.0-6.3.el5_1.x86_64.rpm
File outdated by:  RHBA-2008:0458		     428fdb50a34eb7837f574cb86ee113f5
dbus-x11-1.0.0-6.3.el5_1.x86_64.rpm
File outdated by:  RHBA-2008:0458		     94d5bb6c26f287bc531e9883a7821e71
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

432419 - CVE-2008-0595 dbus security policy circumvention


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0595
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/