Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 240308 (CVE-2008-3834)

Summary: sys-apps/dbus <1.2.3-r1 dbus_signature_validate() DoS (CVE-2008-3834)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gentopia
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.freedesktop.org/show_bug.cgi?id=17803
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-06 17:53:50 UTC
A call to dbus_signature_validate() can crash dbus.

Patch: http://gitweb.freedesktop.org/?p=dbus/dbus.git;a=commit;h=7b10b46c5c8658449783ce45f1273dd35c353bce
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-06 18:30:22 UTC
Arches, please test and mark stable:
=sys-apps/dbus-1.2.3-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 2 Markus Rothe (RETIRED) gentoo-dev 2008-10-06 20:11:29 UTC
ppc64 stable
Comment 3 Markus Meier gentoo-dev 2008-10-06 20:21:48 UTC
amd64/x86 stable
Comment 4 Jeroen Roovers gentoo-dev 2008-10-07 02:55:44 UTC
Stable for HPPA.
Comment 5 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-07 20:33:54 UTC
sparc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-10-08 09:08:43 UTC
alpha/ia64 stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-08 12:16:45 UTC
CVE-2008-3834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3834):
  The dbus_signature_validate function in the D-bus library (libdbus)
  before 1.2.4 allows remote attackers to cause a denial of service
  (application abort) via a message containing a malformed signature,
  which triggers a failed assertion error.

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-11 17:58:48 UTC
ppc stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-13 18:56:02 UTC
Ready for vote, I vote YES.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:43:46 UTC
Ok, YES then.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-01-04 17:49:03 UTC
arm/s390/sh stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-01-11 00:49:14 UTC
GLSA 200901-04