Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Jun 2013 12:55:23 +0100
From: Simon McVittie <>
Subject: CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. It is platform-specific:
x86-64 Linux is known to be affected.

This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus
stable releases 1.4.26 and 1.6.12, and development release 1.7.4.
Upgrading is recommended.

Distributors who backport security fixes should use this commit:

On Unix platforms, this vulnerability was introduced in dbus versions
1.4.16 and 1.5.8 while fixing a portability bug, #11668.
The 1.2.x branch is not vulnerable.

On Windows, a similar bug exists in all branches that have Windows
support. The D-Bus project does not support security-sensitive uses of
D-Bus on Windows.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.