All versions prior to 1.4.12 are vulnerable to local denial of service vulnerability, no CVE assigned yet: https://bugs.freedesktop.org/show_bug.cgi?id=38120
From NEWS: D-Bus 1.4.12 (2011-06-10) == Security (local denial of service): • Byte-swap foreign-endian messages correctly, preventing a long-standing local DoS if foreign-endian messages are relayed through the dbus-daemon (backporters: this is git commit c3223ba6c401ba81df1305851312a47c485e6cd7) (fd.o #38120, Debian #629938, no CVE number yet; Simon McVittie)
amd64 ok
Thanks, Samuli. Just for the record ;) Arches, please test and mark stable: =sys-apps/dbus-1.4.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
@Paweł I think that for security bug(s) we can skip a test failure, so it shouldn't be as a blocker.
amd64: Does fail test, already filed. Unset test and emerge ok.
Stable for HPPA.
amd64 done. Thanks Agostino and Ian
ppc done
CVE-2011-2200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2200): The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does not properly handle a non-native byte order, which allows local users to cause a denial of service (connection loss), obtain potentially sensitive information, or conduct unspecified state-modification attacks via crafted messages.
arm/ia64/s390/sh/sparc/x86 stable
ppc64 stable, last arch done
Thanks, folks. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201110-14 at http://security.gentoo.org/glsa/glsa-201110-14.xml by GLSA coordinator Stefan Behte (craig).