Date: Thu, 13 Jun 2013 12:55:23 +0100 From: Simon McVittie <simon.mcvittie@...labora.co.uk> To: oss-security@...ts.openwall.com Subject: CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. It is platform-specific: x86-64 Linux is known to be affected. This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus stable releases 1.4.26 and 1.6.12, and development release 1.7.4. Upgrading is recommended. Distributors who backport security fixes should use this commit: http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7 On Unix platforms, this vulnerability was introduced in dbus versions 1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668. The 1.2.x branch is not vulnerable. On Windows, a similar bug exists in all branches that have Windows support. The D-Bus project does not support security-sensitive uses of D-Bus on Windows. Regards, Simon
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ