Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 07 May 2024 15:16:56 +0100
From: Philip Withnall <>
Subject: GLib (2.26.0+): GDBus signal subscriptions for well-known names are
 vulnerable to unicast spoofing


A series of related security fixes for how signal subscriptions are
handled in GDBus have just landed in GLib. They have been assigned CVE-

 * (changes
on main)
 * (trivial
backport to glib-2-80)
 * (non-
trivial backport to glib-2-78)

There is a related fix in gnome-shell which distributions should
cherry-pick at the same time, to avoid a regression in screen recording
support in gnome-shell 3.38 and newer:

(changes on main)
 * Backports to older versions of gnome-shell are not available yet

When a GDBus-based client subscribes to signals from a trusted system
service such as NetworkManager or logind on a shared computer, other
users of the same computer can send spoofed D-Bus signals that the
GDBus-based client will wrongly interpret as having been sent by the
trusted system service. This could lead to the GDBus-based client
behaving incorrectly, with an application-dependent impact.
Distributors are advised to cherry-pick these changes into their GLib
packages ASAP.

This issue has likely existed since GDBus was first introduced in GLib
2.26, although this lower bound has not been verified. The issue has
been verified to exist in at least GLib 2.66, 2.74, 2.78 (<2.78.5) and
2.80 (<2.80.1).

Per GLib’s support policy, the fixes have not been backported to glib-
2-76 or earlier.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.