pam_fprintd local root proof of concept exploit that spawns a shell. pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and registers DBUS signal inside the PAM authentication function. Then, when the DBUS signal arrives, the signal argument is basically just checked to be the "verify-match" string; which however is expected to come from the legit net.reactivated.Fprint service. Since there is no message filter registered in either pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed by anyone.
d7d878eac758bfcc9a041d7672f578aa68bacf6ae2cbd54d692e6da69a937360
Mandriva Linux Security Advisory 2013-071 - A privilege escalation flaw was found in the way dbus-glib, the D-Bus add-on library to integrate the standard D-Bus library with the GLib thread abstraction and main loop, performed filtering of the message sender, when the NameOwnerChanged signal was received. A local attacker could use this flaw to escalate their privileges.
38a7f795c9dbf85c8c9f40f7bee0e1c36b4f7c15067e9d63187d3ea2d1ae392a
Ubuntu Security Notice 1753-1 - Sebastian Krahmer and Bastien Nocera discovered that DBus-GLib did not properly validate the message sender when the "NameOwnerChanged" signal was received. A local attacker could possibly use this issue to escalate their privileges.
9ce1ac4e5f067377afdafd7442b6e3c1e4f0943a1f5f93e3180598e214b52378
Red Hat Security Advisory 2013-0568-01 - dbus-glib is an add-on library to integrate the standard D-Bus library with the GLib main loop and threading model. A flaw was found in the way dbus-glib filtered the message sender when the "NameOwnerChanged" signal was received. This could trick a system service using dbus-glib into believing a signal was sent from a privileged process, when it was not. A local attacker could use this flaw to escalate their privileges. All dbus-glib users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against dbus-glib, such as fprintd and NetworkManager, must be restarted for this update to take effect.
f115f8f456a5b073c3c794a1f1c4435ef97f30b0ff1398b9309a9019ea8e3fac