Gentoo Archives: gentoo-announce

From: Chris Reffett <creffett@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201308-02 ] D-Bus: Denial of Service
Date: Thu, 22 Aug 2013 21:51:25
Message-Id: 52168753.7050205@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201308-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: D-Bus: Denial of Service
9 Date: August 22, 2013
10 Bugs: #473190
11 ID: 201308-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability has been found in D-Bus which allows a local user to
19 cause a Denial of Service.
20
21 Background
22 ==========
23
24 D-Bus is a message bus system which processes can use to talk to each
25 other.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 sys-apps/dbus < 1.6.12 >= 1.6.12
34
35 Description
36 ===========
37
38 D-Bus' _dbus_printf_string_upper_bound() function crashes if it returns
39 exactly 1024 bytes.
40
41 Impact
42 ======
43
44 A local attacker could provide specially-crafted input to an
45 application using D-Bus which would cause
46 _dbus_printf_string_upper_bound() to return 1024 bytes and crash,
47 causing a Denial of Service condition.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All D-Bus users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.6.12"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2013-2168
66 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2168
67
68 Availability
69 ============
70
71 This GLSA and any updates to it are available for viewing at
72 the Gentoo Security Website:
73
74 http://security.gentoo.org/glsa/glsa-201308-02.xml
75
76 Concerns?
77 =========
78
79 Security is a primary focus of Gentoo Linux and ensuring the
80 confidentiality and security of our users' machines is of utmost
81 importance to us. Any security concerns should be addressed to
82 security@g.o or alternatively, you may file a bug at
83 https://bugs.gentoo.org.
84
85 License
86 =======
87
88 Copyright 2013 Gentoo Foundation, Inc; referenced text
89 belongs to its owner(s).
90
91 The contents of this document are licensed under the
92 Creative Commons - Attribution / Share Alike license.
93
94 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature