Fluid Attacks Database

Description

libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	glib2.0	>=0 <2.33.12+really2.32.4-2	2.33.12+really2.32.4-2
debian 11	dbus	>=0 <1.6.8-1	1.6.8-1
debian 12	glib2.0	>=0 <2.33.12+really2.32.4-2	2.33.12+really2.32.4-2
debian 13	dbus	>=0 <1.6.8-1	1.6.8-1
debian 14	dbus	>=0 <1.6.8-1	1.6.8-1
debian 12	dbus	>=0 <1.6.8-1	1.6.8-1
debian 11	glib2.0	>=0 <2.33.12+really2.32.4-2	2.33.12+really2.32.4-2
debian 13	glib2.0	>=0 <2.33.12+really2.32.4-2	2.33.12+really2.32.4-2
rpm rhel6	dbus	<1:1.2.24-7.el6_3	1:1.2.24-7.el6_3

Aliases

1. CVE-2012-35242. NVD-2012-35243. OSV-DEBIAN-2012-35244. OSV-2012-35245. SECURITY-TRACKER-CVE-2012-3524

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.