Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: glib #1456

Open
dongsupark opened this issue May 22, 2024 · 0 comments · May be fixed by flatcar/scripts#2070
Open

update: glib #1456

dongsupark opened this issue May 22, 2024 · 0 comments · May be fixed by flatcar/scripts#2070
Labels
advisory security advisory security security concerns

Comments

@dongsupark
Copy link
Member

Name: glib
CVEs: CVE-2024-34397
CVSSs: n/a
Action Needed: update to >= 2.78.6

Summary: An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

See also https://discourse.gnome.org/t/security-fixes-for-signal-handling-in-gdbus-in-glib/20882/2.

refmap.gentoo: https://bugs.gentoo.org/931507
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: ⚒️ In Progress
Milestone
No milestone
1 participant
@dongsupark