All versions prior to 1.4.12 are vulnerable to local denial of service vulnerability, no CVE assigned yet:
D-Bus 1.4.12 (2011-06-10)
Security (local denial of service):
• Byte-swap foreign-endian messages correctly, preventing a long-standing
local DoS if foreign-endian messages are relayed through the dbus-daemon
(backporters: this is git commit c3223ba6c401ba81df1305851312a47c485e6cd7)
(fd.o #38120, Debian #629938, no CVE number yet; Simon McVittie)
Thanks, Samuli. Just for the record ;)
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
I think that for security bug(s) we can skip a test failure, so it shouldn't be as a blocker.
Does fail test, already filed. Unset test and emerge ok.
Stable for HPPA.
amd64 done. Thanks Agostino and Ian
The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka
DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does
not properly handle a non-native byte order, which allows local users to
cause a denial of service (connection loss), obtain potentially sensitive
information, or conduct unspecified state-modification attacks via crafted
ppc64 stable, last arch done
Thanks, folks. Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201110-14 at http://security.gentoo.org/glsa/glsa-201110-14.xml
by GLSA coordinator Stefan Behte (craig).