Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 13 Jun 2013 12:55:23 +0100
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. It is platform-specific:
x86-64 Linux is known to be affected.

This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus
stable releases 1.4.26 and 1.6.12, and development release 1.7.4.
Upgrading is recommended.

Distributors who backport security fixes should use this commit:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7

On Unix platforms, this vulnerability was introduced in dbus versions
1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668.
The 1.2.x branch is not vulnerable.

On Windows, a similar bug exists in all branches that have Windows
support. The D-Bus project does not support security-sensitive uses of
D-Bus on Windows.

Regards,
    Simon

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.