From ${URL} : Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. It is platform-specific: x86-64 Linux is known to be affected. This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus stable releases 1.4.26 and 1.6.12, and development release 1.7.4. Upgrading is recommended. Distributors who backport security fixes should use this commit: http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7 On Unix platforms, this vulnerability was introduced in dbus versions 1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668. The 1.2.x branch is not vulnerable. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Test and mark stable: =sys-apps/dbus-1.6.12 everyone =dev-python/dbus-python-1.2.0 only ppc64 (see bug 453086)
Stable on alpha.
Stable for HPPA.
amd64: ok
amd64 stable
x86 stable
arm stable
ia64 stable
ppc stable
s390 stable
sh stable
sparc stable
ppc64 stable
This issue was resolved and addressed in GLSA 201308-02 at http://security.gentoo.org/glsa/glsa-201308-02.xml by GLSA coordinator Chris Reffett (creffett).
CVE-2013-2168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2168): The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message.
