Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 371261 (CVE-2011-2200) - <sys-apps/dbus-1.4.12: Local Denial of Service vulnerability: byteswapping a message doesn't change the byte-order mark (CVE-2011-2200)
Summary: <sys-apps/dbus-1.4.12: Local Denial of Service vulnerability: byteswapping a ...
Status: RESOLVED FIXED
Alias: CVE-2011-2200
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://bugs.freedesktop.org/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-12 13:12 UTC by Samuli Suominen
Modified: 2011-10-21 21:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen gentoo-dev 2011-06-12 13:12:21 UTC
All versions prior to 1.4.12 are vulnerable to local denial of service vulnerability, no CVE assigned yet:

https://bugs.freedesktop.org/show_bug.cgi?id=38120
Comment 1 Samuli Suominen gentoo-dev 2011-06-12 13:13:24 UTC
From NEWS:

D-Bus 1.4.12 (2011-06-10)
==

Security (local denial of service):

• Byte-swap foreign-endian messages correctly, preventing a long-standing
  local DoS if foreign-endian messages are relayed through the dbus-daemon
  (backporters: this is git commit c3223ba6c401ba81df1305851312a47c485e6cd7)
  (fd.o #38120, Debian #629938, no CVE number yet; Simon McVittie)
Comment 2 Agostino Sarubbo gentoo-dev 2011-06-12 16:24:00 UTC
amd64 ok
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 18:24:47 UTC
Thanks, Samuli. Just for the record ;)

Arches, please test and mark stable:
=sys-apps/dbus-1.4.12
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-06-13 09:50:53 UTC
@Paweł

I think that for security bug(s) we can skip a test failure, so it shouldn't be as a blocker.
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-06-13 22:44:10 UTC
amd64:

Does fail test, already filed.  Unset test and emerge ok.
Comment 6 Jeroen Roovers gentoo-dev 2011-06-14 16:05:33 UTC
Stable for HPPA.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-06-17 18:47:20 UTC
amd64 done. Thanks Agostino and Ian
Comment 8 Brent Baude (RETIRED) gentoo-dev 2011-06-22 20:19:02 UTC
ppc done
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:06:34 UTC
CVE-2011-2200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2200):
  The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka
  DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does
  not properly handle a non-native byte order, which allows local users to
  cause a denial of service (connection loss), obtain potentially sensitive
  information, or conduct unspecified state-modification attacks via crafted
  messages.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-06-26 10:45:59 UTC
arm/ia64/s390/sh/sparc/x86 stable
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-03 11:26:01 UTC
ppc64 stable, last arch done
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-07-03 15:44:52 UTC
Thanks, folks. Added to existing GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-21 21:19:16 UTC
This issue was resolved and addressed in
 GLSA 201110-14 at http://security.gentoo.org/glsa/glsa-201110-14.xml
by GLSA coordinator Stefan Behte (craig).