Security fixes for signal handling in GDBus in GLib

A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib. They have been assigned CVE-2024-34397:

There is a related fix in gnome-shell which distributions should cherry-pick at the same time, to avoid a regression in screen recording support in gnome-shell 3.38 and newer:

When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Distributors are advised to cherry-pick these changes into their GLib packages ASAP.

Per GLib’s support policy, the fixes have not been backported to glib-2-76 or earlier.

2 Likes

The Debian backports of these GLib changes to 2.74 and 2.66 are unofficially available here and here, in case this is useful to other LTS distro packagers.

Edit: These backports may not contain the follow-up fixes. Please check before use.

Similar unofficial backports for 2.64 and 2.72 are available too.

1 Like

Due to an unexpected regression when used with IBus (#3353), some follow-up fixes are needed. These will be present in the 2.78.6 and 2.80.2 releases, due out shortly.

The fixes are:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.