Gentoo Bug 240308 - sys-apps/dbus <1.2.3-r1 dbus_signature_validate() DoS (CVE-2008-3834)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	240308
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 240308 depends on:			Show dependency tree
Bug 240308 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-10-06 17:53 0000

A call to dbus_signature_validate() can crash dbus.

Patch:
http://gitweb.freedesktop.org/?p=dbus/dbus.git;a=commit;h=7b10b46c5c8658449783ce45f1273dd35c353bce

------- Comment #1 From Robert Buchholz 2008-10-06 18:30:22 0000 -------

Arches, please test and mark stable:
=sys-apps/dbus-1.2.3-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

------- Comment #2 From Markus Rothe 2008-10-06 20:11:29 0000 -------

ppc64 stable

------- Comment #3 From Markus Meier 2008-10-06 20:21:48 0000 -------

amd64/x86 stable

------- Comment #4 From Jeroen Roovers 2008-10-07 02:55:44 0000 -------

Stable for HPPA.

------- Comment #5 From Friedrich Oslage 2008-10-07 20:33:54 0000 -------

sparc stable

------- Comment #6 From Raúl Porcel 2008-10-08 09:08:43 0000 -------

alpha/ia64 stable

------- Comment #7 From Stefan Behte 2008-10-08 12:16:45 0000 -------

CVE-2008-3834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3834):
  The dbus_signature_validate function in the D-bus library (libdbus)
  before 1.2.4 allows remote attackers to cause a denial of service
  (application abort) via a message containing a malformed signature,
  which triggers a failed assertion error.

------- Comment #8 From Tobias Scherbaum 2008-10-11 17:58:48 0000 -------

ppc stable

------- Comment #9 From Tobias Heinlein 2008-10-13 18:56:02 0000 -------

Ready for vote, I vote YES.

------- Comment #10 From Robert Buchholz 2008-11-26 18:43:46 0000 -------

Ok, YES then.

------- Comment #11 From Raúl Porcel 2009-01-04 17:49:03 0000 -------

arm/s390/sh stable

------- Comment #12 From Robert Buchholz 2009-01-11 00:49:14 0000 -------

GLSA 200901-04

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 240308

sys-apps/dbus <1.2.3-r1 dbus_signature_validate() DoS (CVE-2008-3834)

Last modified: 2009-01-11 00:49:14 0000