Bug#629938: marked as done (libdbus-1-3: local DoS via messages with non-native byte order)

Fri, 10 Jun 2011 15:04:04 -0700 

Your message dated Fri, 10 Jun 2011 22:02:25 +0000
with message-id <[email protected]>
and subject line Bug#629938: fixed in dbus 1.4.12-1
has caused the Debian Bug report #629938,
regarding libdbus-1-3: local DoS via messages with non-native byte order
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
629938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libdbus-1-3
Version: 1.4.8-3
Severity: normal
Tags: security
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120

lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
into native endianness but does not swap the byte-order mark in messages
when swapping their byte order. As a result, if a message in non-native byte
order is sent through dbus-daemon to a system service like Avahi or
NetworkManager, that system service is likely to interpret the message as
invalid and disconnect from the system bus, leading to a local DoS.

This was raised, and promptly forgotten about, in 2007 (!), so it's already
public information. A fix is awaiting review upstream.

Debian Security Team, could you allocate a CVE ID if appropriate, please?
I suspect this is a job for stable-proposed-updates rather than a DSA, though.

Regards,
    S

--- End Message ---
--- Begin Message --- 
Source: dbus
Source-Version: 1.4.12-1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-dbg_1.4.12-1_amd64.deb
  to main/d/dbus/dbus-1-dbg_1.4.12-1_amd64.deb
dbus-1-doc_1.4.12-1_all.deb
  to main/d/dbus/dbus-1-doc_1.4.12-1_all.deb
dbus-x11_1.4.12-1_amd64.deb
  to main/d/dbus/dbus-x11_1.4.12-1_amd64.deb
dbus_1.4.12-1.debian.tar.gz
  to main/d/dbus/dbus_1.4.12-1.debian.tar.gz
dbus_1.4.12-1.dsc
  to main/d/dbus/dbus_1.4.12-1.dsc
dbus_1.4.12-1_amd64.deb
  to main/d/dbus/dbus_1.4.12-1_amd64.deb
dbus_1.4.12.orig.tar.gz
  to main/d/dbus/dbus_1.4.12.orig.tar.gz
libdbus-1-3_1.4.12-1_amd64.deb
  to main/d/dbus/libdbus-1-3_1.4.12-1_amd64.deb
libdbus-1-dev_1.4.12-1_amd64.deb
  to main/d/dbus/libdbus-1-dev_1.4.12-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 10 Jun 2011 22:39:14 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source amd64 all
Version: 1.4.12-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team 
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description: 
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 629938
Changes: 
 dbus (1.4.12-1) unstable; urgency=medium
 .
   * New upstream release fixes local DoS (Closes: #629938, no CVE number yet)
   * Don't delete jquery.js, no longer installed by recent Doxygen
   * Build-depend on libglib2.0-dev, libdbus-glib-1-dev for better regression
     test coverage (dbus-glib is a circular dependency, but both of these
     dependencies can be dropped if bootstrapping new architectures)
Checksums-Sha1: 
 be2b37ac2523b5158ad3f0d11c8e9137da7de9ca 2193 dbus_1.4.12-1.dsc
 6288a0826fe02d02ddbe62af03c9401501e69cc2 1878025 dbus_1.4.12.orig.tar.gz
 90c3e9999e7279be640e29831cc649a370d97dfb 31093 dbus_1.4.12-1.debian.tar.gz
 4cfc489b4ebb5470321908517ae04219f31a8bb4 387426 dbus_1.4.12-1_amd64.deb
 101cdabb5bd270b200a4606fb8ab4078f866f674 50646 dbus-x11_1.4.12-1_amd64.deb
 c59a47ffbaede2495861c843de317092fd22daf1 161198 libdbus-1-3_1.4.12-1_amd64.deb
 6951244d867419ed22d6bde7596cf0f011f459ef 1975704 dbus-1-doc_1.4.12-1_all.deb
 1b9be1bc6e59cdff6e834b5e77ac3adfd7642b81 240288 
libdbus-1-dev_1.4.12-1_amd64.deb
 b40e76f0a506bbf727fb298ba7a52ac6521d3376 3588954 dbus-1-dbg_1.4.12-1_amd64.deb
Checksums-Sha256: 
 1f1c1da20303d606a2e75a81650cc349a3ef7062bc694157b62740fd3387c67a 2193 
dbus_1.4.12-1.dsc
 da3c97fd546610558d588799e27c4fa81101e754acbcd34747a42c131f30dbe7 1878025 
dbus_1.4.12.orig.tar.gz
 678f49e4265690205a7880831b4493d4c98fe53cc60f16b8ed99e240ddc7e32b 31093 
dbus_1.4.12-1.debian.tar.gz
 73937ffcc5e52d5a814e5c8cfe4b9e58d8fd9be65bf779c413e6d64106b3e061 387426 
dbus_1.4.12-1_amd64.deb
 34ef3afefcf621f091378cbc4dd9ae79d3acaa018c431db5258ed3bb92317220 50646 
dbus-x11_1.4.12-1_amd64.deb
 414fb7bcaa49f10915225b2660439404cf227fb19541cc0309fa8b11a126e319 161198 
libdbus-1-3_1.4.12-1_amd64.deb
 8cde71abc2f616faf3074557fb6aca305948a38298e9831a106763a5286d5704 1975704 
dbus-1-doc_1.4.12-1_all.deb
 edef52f0c3e985c919f38f6de9be8198c6881aa59e4164a36399326b5056b953 240288 
libdbus-1-dev_1.4.12-1_amd64.deb
 150cb4e626d7747acdfd01f9041173666142b38619ffbe6ff8aa67295cafe716 3588954 
dbus-1-dbg_1.4.12-1_amd64.deb
Files: 
 9c33425029958e5dfbfbae32bd356c36 2193 devel optional dbus_1.4.12-1.dsc
 104f2ea94c10a896dfb1edecb5714cb1 1878025 devel optional dbus_1.4.12.orig.tar.gz
 28b6e36a18cef393da9f574aee668bf0 31093 devel optional 
dbus_1.4.12-1.debian.tar.gz
 cfd6419572aca5dd73e921ae27e3bfcf 387426 devel optional dbus_1.4.12-1_amd64.deb
 2be7db11b49bf1ff76ae0c3994b6d7e8 50646 x11 optional dbus-x11_1.4.12-1_amd64.deb
 94480f9c40ca3686f80609fde9b4f43c 161198 libs optional 
libdbus-1-3_1.4.12-1_amd64.deb
 ee8877df6fb10e29532818072a410bfa 1975704 doc optional 
dbus-1-doc_1.4.12-1_all.deb
 30ff0aef270bdba91f76116e194978ce 240288 libdevel optional 
libdbus-1-dev_1.4.12-1_amd64.deb
 b0b2747412025b82fe5c95d443054373 3588954 debug extra 
dbus-1-dbg_1.4.12-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBTfKRVk3o/ypjx8yQAQiRrBAAnAIX+gQcpC7HwQPULoTJFPKa+6XFDMEv
P5GJ8vMqWb3r7YBTZewTsB2e4Rr/ELuf+QrpQ3mWtj/3EpEU3pvdZDGoVE5Azjad
ZhL/oKb9xrqZYS+CCSG2V3J0FdyYWRRXcT0rBj5Kg6B0Neu8ml94aqDoC5+GDW6d
BxqQZJeY/H1bzO+one2Ehj7/qIwOpTXS/0pbZwovh9Cnm+AkT0PkGkKPLZnNvWuZ
KYjxYfmqkMrKZ2pG/ehdh1us2lFIY7M+AT3O+9Xevkolg9CiUGiesTehZyzfioLA
IoeUUeRS0pcVNKTWo2KUn3dcpyrvUkxiz1YWPS6/fQoQBcPkqWr3gut75R8yOp5D
18MKgMibPWV7DTQ9z+NTJsAW+saAvOThi1J47PAizX1jUePfPRHhuP/mZc5jTgnZ
3rvUdQ4sUcUWn98NNVTCcEc7mjccGYT/JMEpoBS7aVh0k7mcqfAg3etc+WEAbOjU
MU7cMkfQKcIduNoDPonXQuGFSrHDKzu6CnMFu1Zf8j/sQOhYorIInqWmzIO5Jv1X
5uL7B6WlhFKbdi3mFT4pXVPJ9pKbfpHaakV2zwrs7xJR6N2pugqDEJYnckXQjZjA
SKPFa1P/dSJ9isdaTgukXT+Hc8LqLNrmpZiPJbDqnhn5mhpCu4P3YlIFg6xNNXAb
sH+tERWojj4=
=cAi9
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to