Date: Thu, 13 Jun 2013 12:55:23 +0100 From: Simon McVittie <simon.mcvittie@...labora.co.uk> To: oss-security@...ts.openwall.com Subject: CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. It is platform-specific: x86-64 Linux is known to be affected. This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus stable releases 1.4.26 and 1.6.12, and development release 1.7.4. Upgrading is recommended. Distributors who backport security fixes should use this commit: http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7 On Unix platforms, this vulnerability was introduced in dbus versions 1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668. The 1.2.x branch is not vulnerable. On Windows, a similar bug exists in all branches that have Windows support. The D-Bus project does not support security-sensitive uses of D-Bus on Windows. Regards, Simon
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.