Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 240308 (CVE-2008-3834) - sys-apps/dbus <1.2.3-r1 dbus_signature_validate() DoS (CVE-2008-3834)
Summary: sys-apps/dbus <1.2.3-r1 dbus_signature_validate() DoS (CVE-2008-3834)
Status: RESOLVED FIXED
Alias: CVE-2008-3834
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: https://bugs.freedesktop.org/show_bug...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-06 17:53 UTC by Robert Buchholz (RETIRED)
Modified: 2009-01-11 00:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-06 17:53:50 UTC 
A call to dbus_signature_validate() can crash dbus.

Patch: http://gitweb.freedesktop.org/?p=dbus/dbus.git;a=commit;h=7b10b46c5c8658449783ce45f1273dd35c353bce
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-06 18:30:22 UTC 
Arches, please test and mark stable:
=sys-apps/dbus-1.2.3-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 2 Markus Rothe (RETIRED) gentoo-dev 2008-10-06 20:11:29 UTC 
ppc64 stable
Comment 3 Markus Meier gentoo-dev 2008-10-06 20:21:48 UTC 
amd64/x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2008-10-07 02:55:44 UTC 
Stable for HPPA.
Comment 5 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-07 20:33:54 UTC 
sparc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-10-08 09:08:43 UTC 
alpha/ia64 stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-08 12:16:45 UTC 
CVE-2008-3834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3834):
  The dbus_signature_validate function in the D-bus library (libdbus)
  before 1.2.4 allows remote attackers to cause a denial of service
  (application abort) via a message containing a malformed signature,
  which triggers a failed assertion error.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-11 17:58:48 UTC 
ppc stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-13 18:56:02 UTC 
Ready for vote, I vote YES.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:43:46 UTC 
Ok, YES then.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-01-04 17:49:03 UTC 
arm/s390/sh stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-01-11 00:49:14 UTC 
GLSA 200901-04