Bug 10520 - dbus new security issue CVE-2013-2168
: dbus new security issue CVE-2013-2168
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554227/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-13 15:14 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
3 users (show)

See Also:
Source RPM: dbus-1.6.8-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-13 15:14:56 CEST
Upstream has released dbus 1.4.26 and 1.6.12 to fix a security issue:
http://openwall.com/lists/oss-security/2013/06/13/2

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-13 19:53:06 CEST
Debian has issued an advisory for this today (June 13):
http://lwn.net/Alerts/554226/
Comment 2 Colin Guthrie 2013-06-13 20:28:26 CEST
Working on updates now.
Comment 3 Colin Guthrie 2013-06-13 21:01:43 CEST
Coming soon to a mirror near you:

dbus-1.4.16-5.2.mga2
 and
dbus-1.6.8-4.1.mga3


Advisory Text
=============

Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. Depending on the dbus services running, it could lead to complete system crash.

This problem only currently appears to affect the x86_64 version of Mageia but we advise that all systems should be updated.
Comment 4 David Walser 2013-06-13 23:09:54 CEST
Thanks Colin!

The official DSA link isn't up yet, but probably will be tomorrow, so I'll change that when it's available, but for now I'll use the debian-security-announce archives link.

Advisory:
========================

Updated dbus packages fix security vulnerability:

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This vulnerability
can be exploited by a local user to crash system services that use libdbus,
causing denial of service. Depending on the dbus services running, it could
lead to complete system crash (CVE-2013-2168).

This problem only currently appears to affect the x86_64 version of Mageia
but we advise that all systems should be updated.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168
http://lists.debian.org/debian-security-announce/2013/msg00115.html
========================

Updated packages in core/updates_testing:
========================
dbus-1.4.16-5.2.mga2
libdbus-1_3-1.4.16-5.2.mga2
libdbus-1-devel-1.4.16-5.2.mga2
dbus-x11-1.4.16-5.2.mga2
dbus-doc-1.4.16-5.2.mga2
dbus-1.6.8-4.1.mga3
libdbus1_3-1.6.8-4.1.mga3
libdbus-devel-1.6.8-4.1.mga3
dbus-x11-1.6.8-4.1.mga3
dbus-doc-1.6.8-4.1.mga3

from SRPMS:
dbus-1.4.16-5.2.mga2.src.rpm
dbus-1.6.8-4.1.mga3.src.rpm
Comment 5 Dave Hodgins 2013-06-14 01:58:27 CEST
No poc that I could find, so just testing that dbus is working.

Testing complete on Mageia 2 and 3, i586 and x86_64.

Could someone from the sysadmin team push the srpm
dbus-1.6.8-4.1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates and the srpm
dbus-1.4.16-5.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated dbus packages fix security vulnerability:

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This vulnerability
can be exploited by a local user to crash system services that use libdbus,
causing denial of service. Depending on the dbus services running, it could
lead to complete system crash (CVE-2013-2168).

This problem only currently appears to affect the x86_64 version of Mageia
but we advise that all systems should be updated.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168
http://lists.debian.org/debian-security-announce/2013/msg00115.html

https://bugs.mageia.org/show_bug.cgi?id=10520
Comment 6 David Walser 2013-06-14 17:57:49 CEST
DSA is finally posted, changing the Reference link.

Advisory: Updated dbus packages fix security vulnerability:

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This vulnerability
can be exploited by a local user to crash system services that use libdbus,
causing denial of service. Depending on the dbus services running, it could
lead to complete system crash (CVE-2013-2168).

This problem only currently appears to affect the x86_64 version of Mageia
but we advise that all systems should be updated.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168
http://www.debian.org/security/2013/dsa-2707

https://bugs.mageia.org/show_bug.cgi?id=10520
Comment 7 Nicolas Vigier 2013-06-18 17:13:52 CEST
http://advisories.mageia.org/MGASA-2013-0173.html

Note You need to log in before you can comment on or make changes to this bug.