Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473190 (CVE-2013-2168) - <sys-apps/dbus-1.6.12: DoS in system services caused by _dbus_printf_string_upper_bound (CVE-2013-2168)
Summary: <sys-apps/dbus-1.6.12: DoS in system services caused by _dbus_printf_string_u...
Status: RESOLVED FIXED
Alias: CVE-2013-2168
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords: STABLEREQ
Depends on:
Blocks: 453086
  Show dependency tree
 
Reported: 2013-06-13 13:50 UTC by Agostino Sarubbo
Modified: 2013-08-27 21:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-13 13:50:39 UTC
From ${URL} :

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. It is platform-specific:
x86-64 Linux is known to be affected.

This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus
stable releases 1.4.26 and 1.6.12, and development release 1.7.4.
Upgrading is recommended.

Distributors who backport security fixes should use this commit:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7

On Unix platforms, this vulnerability was introduced in dbus versions
1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668.
The 1.2.x branch is not vulnerable.



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Samuli Suominen gentoo-dev 2013-06-18 12:58:27 UTC
Test and mark stable:

=sys-apps/dbus-1.6.12          everyone
=dev-python/dbus-python-1.2.0  only ppc64 (see bug 453086)
Comment 2 Tobias Klausmann gentoo-dev 2013-06-19 19:26:42 UTC
Stable on alpha.
Comment 3 Jeroen Roovers gentoo-dev 2013-06-20 02:43:35 UTC
Stable for HPPA.
Comment 4 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2013-06-20 04:48:06 UTC
amd64: ok
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-20 09:04:58 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-20 09:05:08 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-06-20 09:06:33 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-06-20 09:06:42 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-06-20 09:07:32 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-06-20 09:07:40 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-06-20 09:07:49 UTC
sh stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-06-20 09:07:58 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-07-04 13:40:09 UTC
ppc64 stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-08-22 21:50:53 UTC
This issue was resolved and addressed in
 GLSA 201308-02 at http://security.gentoo.org/glsa/glsa-201308-02.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 21:00:06 UTC
CVE-2013-2168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2168):
  The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in
  D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before
  1.7.4 allows local users to cause a denial of service (service crash) via a
  crafted message.