CVE-2024-34397: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2024-34397) was discovered in GNOME GLib before version 2.78.5, and versions 2.79.x and 2.80.x before 2.80.1. The vulnerability was disclosed on May 7, 2024, affecting GDBus-based client systems that subscribe to signals from trusted system services like NetworkManager on shared computers (NVD, OSS Security).

The vulnerability exists in the GDBus signal subscription handling mechanism. When a GDBus-based client subscribes to signals from a trusted system service, the system fails to properly validate the signal source. This issue has likely existed since GDBus was first introduced in GLib 2.26, though it has been specifically verified in GLib versions 2.66, 2.74, 2.78 (<2.78.5) and 2.80 (<2.80.1). The vulnerability has been assigned a CVSS v3.1 base score of 5.2 (Medium) with vector AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (OSS Security, NVD).

If exploited, this vulnerability allows other users on the same computer to send spoofed D-Bus signals that the GDBus-based client will incorrectly interpret as having been sent by the trusted system service. This can cause the GDBus-based client to behave incorrectly, with impacts varying depending on the specific application (NVD, Debian LTS).

The vulnerability has been fixed in GLib versions 2.78.5 and 2.80.1. Additionally, a related fix in gnome-shell is required to prevent regression in screen recording support in gnome-shell 3.38 and newer. Distributions are advised to implement both fixes simultaneously to maintain functionality (OSS Security).