CVE-2012-3524

Name of the Vulnerable Software and Affected Versions dbus versions 1.2.24 through 1.5.x dbus version 1.6.8 and earlier libdbus-1-3 (affected versions not specified) libdbus-1-3-32bit (affected versions not specified) dbus-1 (affected versions not specified) dbus-1-32bit (affected versions not specified) dbus-libs-1.2.24 dbus-devel-1.2.24 dbus-debuginfo-1.2.24 dbus-doc-1.2.24 dbus-x11-1.1.24

Description The issue allows local users to gain privileges and execute arbitrary code via the DBUS SYSTEM BUS ADDRESS environment variable. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of the vulnerability can be carried out locally.

Recommendations For dbus versions 1.2.24 through 1.5.x: As a temporary workaround, consider sanitizing the environment variables before the first call into libdbus. For dbus version 1.6.8 and earlier: Update to a version later than 1.6.8. For libdbus-1-3, libdbus-1-3-32bit, dbus-1, dbus-1-32bit: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For dbus-libs-1.2.24, dbus-devel-1.2.24, dbus-debuginfo-1.2.24, dbus-doc-1.2.24, dbus-x11-1.1.24: At the moment, there is no information about a newer version that contains a fix for this vulnerability.