Upstream has released dbus 1.4.26 and 1.6.12 to fix a security issue: http://openwall.com/lists/oss-security/2013/06/13/2 Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA3TOO, MGA2TOO
Debian has issued an advisory for this today (June 13): http://lwn.net/Alerts/554226/
URL: (none) => http://lwn.net/Vulnerabilities/554227/
Working on updates now.
Assignee: bugsquad => mageia
Coming soon to a mirror near you: dbus-1.4.16-5.2.mga2 and dbus-1.6.8-4.1.mga3 Advisory Text ============= Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. Depending on the dbus services running, it could lead to complete system crash. This problem only currently appears to affect the x86_64 version of Mageia but we advise that all systems should be updated.
Assignee: mageia => qa-bugs
Thanks Colin! The official DSA link isn't up yet, but probably will be tomorrow, so I'll change that when it's available, but for now I'll use the debian-security-announce archives link. Advisory: ======================== Updated dbus packages fix security vulnerability: Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. Depending on the dbus services running, it could lead to complete system crash (CVE-2013-2168). This problem only currently appears to affect the x86_64 version of Mageia but we advise that all systems should be updated. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 http://lists.debian.org/debian-security-announce/2013/msg00115.html ======================== Updated packages in core/updates_testing: ======================== dbus-1.4.16-5.2.mga2 libdbus-1_3-1.4.16-5.2.mga2 libdbus-1-devel-1.4.16-5.2.mga2 dbus-x11-1.4.16-5.2.mga2 dbus-doc-1.4.16-5.2.mga2 dbus-1.6.8-4.1.mga3 libdbus1_3-1.6.8-4.1.mga3 libdbus-devel-1.6.8-4.1.mga3 dbus-x11-1.6.8-4.1.mga3 dbus-doc-1.6.8-4.1.mga3 from SRPMS: dbus-1.4.16-5.2.mga2.src.rpm dbus-1.6.8-4.1.mga3.src.rpm
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
No poc that I could find, so just testing that dbus is working. Testing complete on Mageia 2 and 3, i586 and x86_64. Could someone from the sysadmin team push the srpm dbus-1.6.8-4.1.mga3.src.rpm from Mageia 3 Core Updates Testing to Core Updates and the srpm dbus-1.4.16-5.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated dbus packages fix security vulnerability: Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. Depending on the dbus services running, it could lead to complete system crash (CVE-2013-2168). This problem only currently appears to affect the x86_64 version of Mageia but we advise that all systems should be updated. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 http://lists.debian.org/debian-security-announce/2013/msg00115.html https://bugs.mageia.org/show_bug.cgi?id=10520
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
DSA is finally posted, changing the Reference link. Advisory: Updated dbus packages fix security vulnerability: Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. Depending on the dbus services running, it could lead to complete system crash (CVE-2013-2168). This problem only currently appears to affect the x86_64 version of Mageia but we advise that all systems should be updated. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 http://www.debian.org/security/2013/dsa-2707 https://bugs.mageia.org/show_bug.cgi?id=10520
http://advisories.mageia.org/MGASA-2013-0173.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)