Bug#629938: marked as done (libdbus-1-3: local DoS via messages with non-native byte order)

Debian Bug Tracking System Wed, 15 Jun 2011 00:58:06 -0700

Your message dated Wed, 15 Jun 2011 07:55:34 +0000
with message-id <[email protected]>
and subject line Bug#629938: fixed in dbus 1.2.24-4+squeeze1
has caused the Debian Bug report #629938,
regarding libdbus-1-3: local DoS via messages with non-native byte order
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
629938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libdbus-1-3
Version: 1.4.8-3
Severity: normal
Tags: security
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120

lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
into native endianness but does not swap the byte-order mark in messages
when swapping their byte order. As a result, if a message in non-native byte
order is sent through dbus-daemon to a system service like Avahi or
NetworkManager, that system service is likely to interpret the message as
invalid and disconnect from the system bus, leading to a local DoS.

This was raised, and promptly forgotten about, in 2007 (!), so it's already
public information. A fix is awaiting review upstream.

Debian Security Team, could you allocate a CVE ID if appropriate, please?
I suspect this is a job for stable-proposed-updates rather than a DSA, though.

Regards,
    S

--- End Message ---

--- Begin Message ---

Source: dbus
Source-Version: 1.2.24-4+squeeze1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
dbus-1-doc_1.2.24-4+squeeze1_all.deb
  to main/d/dbus/dbus-1-doc_1.2.24-4+squeeze1_all.deb
dbus-x11_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/dbus-x11_1.2.24-4+squeeze1_amd64.deb
dbus_1.2.24-4+squeeze1.debian.tar.gz
  to main/d/dbus/dbus_1.2.24-4+squeeze1.debian.tar.gz
dbus_1.2.24-4+squeeze1.dsc
  to main/d/dbus/dbus_1.2.24-4+squeeze1.dsc
dbus_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/dbus_1.2.24-4+squeeze1_amd64.deb
libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Jun 2011 19:45:00 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source all amd64
Version: 1.2.24-4+squeeze1
Distribution: stable
Urgency: low
Maintainer: Utopia Maintenance Team 
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 629938
Changes: 
 dbus (1.2.24-4+squeeze1) stable; urgency=low
 .
   * Update Vcs-* control fields to reflect the move to git
   * Apply patch to fix CVE-2011-2200 (fd.o #38120), which is a local DoS for
     system services (Closes: #629938)
Checksums-Sha1: 
 1f131b71c842fc8442611d1de55cbe99514e9c7f 2186 dbus_1.2.24-4+squeeze1.dsc
 a9c086190a93f50e02b3d3e65145db3c66ea3795 33628 
dbus_1.2.24-4+squeeze1.debian.tar.gz
 b163eb8a3167d3581e24e8fbb6834f914e88d920 1831250 
dbus-1-doc_1.2.24-4+squeeze1_all.deb
 0c496269a673c0181cbf3b065d8fe579f3eee006 233202 
dbus_1.2.24-4+squeeze1_amd64.deb
 3b2c4c73c0e2fa0528ca3c0a5c7c153f6227bb9c 42870 
dbus-x11_1.2.24-4+squeeze1_amd64.deb
 297210703f7c762b82171b5d8ddb1164616c7bfe 145398 
libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
 0d125034ed689436814d19850105a9341f320362 244978 
libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
 f8fc73f345fba810751c80a6cb5588ed8581d052 761536 
dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
Checksums-Sha256: 
 96ab49cbf8c7deddb93de7d06122ab9c52e20087af3f5d21a762fb10ebe16651 2186 
dbus_1.2.24-4+squeeze1.dsc
 4115e3e31f8fc3f3267fdd5717a45310ec1fe5fa50f97a3d6b0d9b82222bc55f 33628 
dbus_1.2.24-4+squeeze1.debian.tar.gz
 5a832cbeea34d22a0ab7a2eac4b619488ee299f960ced62ed677132d60d38b41 1831250 
dbus-1-doc_1.2.24-4+squeeze1_all.deb
 e6caba3a5394b13b38bdb56bdf7e1b949c025a8fadbb53c208dd3545a8e1002a 233202 
dbus_1.2.24-4+squeeze1_amd64.deb
 7503cf484bfcb194ddedc98801ee5389c1c1cebee20f25d0fe675ecd6edcd6b3 42870 
dbus-x11_1.2.24-4+squeeze1_amd64.deb
 b1629995788dc907ce50ed3bdca4b57cf1ba34aae646c2aaf4ef462d02a4739f 145398 
libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
 f969a1075441b80503c019879851ec788b7e1c78e653fdfeb81705e84f6abffa 244978 
libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
 6e54b44ec79f72c14e0a689add740abbcbad08b15d609383448de8692714fc0f 761536 
dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
Files: 
 7ddda7dc53301c23197f42ca1bb1fc00 2186 devel optional dbus_1.2.24-4+squeeze1.dsc
 8e6be8290cad77c3212616768eba1ce7 33628 devel optional 
dbus_1.2.24-4+squeeze1.debian.tar.gz
 cc7114ff5f22691a23c4c6c13bef7755 1831250 doc optional 
dbus-1-doc_1.2.24-4+squeeze1_all.deb
 98df5f2a39fb990b8a385890bb0b95fb 233202 devel optional 
dbus_1.2.24-4+squeeze1_amd64.deb
 8b0ed0397524dbf5b5dfe0fa3e99b63a 42870 x11 optional 
dbus-x11_1.2.24-4+squeeze1_amd64.deb
 aec544f0daf37cbbecee20cfa127c4d6 145398 libs optional 
libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
 4262818ce80e3b5d3db4b1df755fab30 244978 libdevel optional 
libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
 7095a7ff67f5922245675f4276c1b84b 761536 debug extra 
dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBTffJJk3o/ypjx8yQAQjpcxAAh0Ugc3QIYVzknIh0m5zXqBUPTsmNECb7
KOQv8ZcponAcz8F8WehCHNo4bYOurjWmq9GA048PQHU57w/6e85VUV3v/F7LzLKS
szupuECn+MF97wVs40/LJysE/6gmkNnfYvtmDzKacroXQ6RvIJa7x02f7huZ1Wky
Wmq8oGXWdSVM/myPIjrtjQBl1xiUFd/PhBcAa9YxfXlDj6oHxzQc33uHvnJiS0wQ
PJwRSYHkbvQfIAoEs/L6TxrpNH0p1Xy3AvIMOV3QhZa6DbQnf+1v0IxKdhLDy+v5
9ld7sjMCWk+chQ3hoMfnUR22mN/jY9v0rKOZZNOBQytqtqUgynEnOUNk3JADW+yh
7IMxRLTRVpHzz3X2T+1kasuQrxi45P5NSNylStMtgc8y+2N4i7+juUkFMp95bcC2
HEnlr1dw504S1yLhMh2QosN3PHlEqXBGONYgvXmDy+E89iPqLaXVFAwQ3J7nttlE
+pyznxF3e4mL38zX6r3gH5UTywKqUeDwtC5/OoiPBzuWMiLDP/vjcxaHNFlM14KY
dNJNHMEZbQFEdLjevMRJ/BoCTr75mqPs3s27TqYsHPYyQGR3KNfbS0Jn5tQZb+Ta
2Dr18OkavyAut8cpMWqogAcJGA8leJiDclK5id8CwREfXmVCC5uflm8oQ/xIJny2
+GHthnyIEsg=
=GiL2
-----END PGP SIGNATURE-----

--- End Message ---

Bug#629938: marked as done (libdbus-1-3: local DoS via messages with non-native byte order)

Reply via email to