A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib. They have been assigned CVE-2024-34397:
- gdbusconnection: Don’t deliver signals if the sender doesn’t match (!4038) (changes on
main) - Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-80 (!4039) (trivial backport to
glib-2-80) - Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-78 (!4040) (non-trivial backport to
glib-2-78)
There is a related fix in gnome-shell which distributions should cherry-pick at the same time, to avoid a regression in screen recording support in gnome-shell 3.38 and newer:
- screencast: Correct expected bus name for streams (changes on
main) - Backports to older versions of gnome-shell are not available yet
When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Distributors are advised to cherry-pick these changes into their GLib packages ASAP.
Per GLib’s support policy, the fixes have not been backported to glib-2-76 or earlier.