Debian Bug report logs -
#532720
dbus: CVE-2009-1189 incomplete fix for CVE-2008-3834
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Wed, 10 Jun 2009 22:24:04 UTC
Severity: grave
Tags: patch, security
Found in versions dbus/1.2.1-5, dbus/1.0.2-1+etch4
Fixed in versions dbus/1.2.14-2, 1.0.2-1+etch4, 1.2.1-5+lenny1
Done: Michael Biebl <biebl@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#532720
; Package dbus
.
(Wed, 10 Jun 2009 22:24:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Wed, 10 Jun 2009 22:24:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dbus.
CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
| incorrect logic to validate a basic type, which allows remote
| attackers to spoof a signature via a crafted key. NOTE: this is due
| to an incorrect fix for CVE-2008-3834.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry. Patches available [1].
Please coordinate with the security team to prepare updates for the
stable releases.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1189
http://security-tracker.debian.net/tracker/CVE-2009-1189
[1] http://bugs.freedesktop.org/show_bug.cgi?id=17803
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#532720
; Package dbus
.
(Wed, 10 Jun 2009 22:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
Your message did not contain a Subject field. They are recommended and
useful because the title of a $gBug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Wed, 10 Jun 2009 22:30:02 GMT) (full text, mbox, link).
Message #10 received at 532720@bugs.debian.org (full text, mbox, reply):
found 532720 1.0.2-1+etch4
thank you
note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433
Bug marked as found in version 1.0.2-1+etch4.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Wed, 10 Jun 2009 22:30:03 GMT) (full text, mbox, link).
Bug no longer marked as found in version 1.2.14-1.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org
.
(Wed, 10 Jun 2009 22:36:02 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.2.14-2.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Wed, 10 Jun 2009 22:39:04 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.0.2-1+etch4.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org
.
(Tue, 21 Jul 2009 01:18:02 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.2.1-5+lenny1.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org
.
(Tue, 21 Jul 2009 01:18:04 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Tue, 21 Jul 2009 01:18:06 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Tue, 21 Jul 2009 01:18:07 GMT) (full text, mbox, link).
Message #25 received at 532720-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Michael S. Gilbert wrote:
> Package: dbus
> Version: 1.2.1-5
> Severity: grave
> Tags: security , patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for dbus.
>
> CVE-2009-1189[0]:
> | The _dbus_validate_signature_with_reason function
> | (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
> | incorrect logic to validate a basic type, which allows remote
> | attackers to spoof a signature via a crafted key. NOTE: this is due
> | to an incorrect fix for CVE-2008-3834.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry. Patches available [1].
>
> Please coordinate with the security team to prepare updates for the
> stable releases.
Closing the bug report. Fixed packages are now in old-stable, stable, testing
and unstable.
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Sun, 20 Sep 2009 20:15:17 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Sun, 20 Sep 2009 20:15:18 GMT) (full text, mbox, link).
Message #30 received at 532720-close@bugs.debian.org (full text, mbox, reply):
Source: dbus
Source-Version: 1.2.1-5+lenny1
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:
dbus-1-doc_1.2.1-5+lenny1_all.deb
to pool/main/d/dbus/dbus-1-doc_1.2.1-5+lenny1_all.deb
dbus-x11_1.2.1-5+lenny1_i386.deb
to pool/main/d/dbus/dbus-x11_1.2.1-5+lenny1_i386.deb
dbus_1.2.1-5+lenny1.diff.gz
to pool/main/d/dbus/dbus_1.2.1-5+lenny1.diff.gz
dbus_1.2.1-5+lenny1.dsc
to pool/main/d/dbus/dbus_1.2.1-5+lenny1.dsc
dbus_1.2.1-5+lenny1_i386.deb
to pool/main/d/dbus/dbus_1.2.1-5+lenny1_i386.deb
libdbus-1-3_1.2.1-5+lenny1_i386.deb
to pool/main/d/dbus/libdbus-1-3_1.2.1-5+lenny1_i386.deb
libdbus-1-dev_1.2.1-5+lenny1_i386.deb
to pool/main/d/dbus/libdbus-1-dev_1.2.1-5+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 532720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 18 Jun 2009 06:12:34 +0200
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-5+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
dbus - simple interprocess messaging system
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 532720
Changes:
dbus (1.2.1-5+lenny1) stable-security; urgency=high
.
* debian/patches/52-CVE-2009-1189.patch
- Security: The _dbus_validate_signature_with_reason function
(dbus-marshal-validate.c) uses incorrect logic to validate a basic type,
which allows remote attackers to spoof a signature via a crafted key.
NOTE: this is due to an incorrect fix for CVE-2008-3834
Closes: #532720
Fixes: CVE-2009-1189
* Urgency high for the security fix.
Checksums-Sha1:
cb786094e2c5f84f8debd3f3689502ff47dbb415 1608 dbus_1.2.1-5+lenny1.dsc
2c5b38d51b486e0143faf7749d298e07a8c71223 1406833 dbus_1.2.1.orig.tar.gz
00c1dca59e66dc869d7fda75f3966faefe65e3a7 39470 dbus_1.2.1-5+lenny1.diff.gz
d91d2bbb214b730ecbe1cd4723f0f2abea81c334 1830232 dbus-1-doc_1.2.1-5+lenny1_all.deb
f49025e8f7037851ddaa977e0e958a64600fd6a6 230180 dbus_1.2.1-5+lenny1_i386.deb
3d60281a46b9c81d7641c8b483801e6ac14e9c0f 64064 dbus-x11_1.2.1-5+lenny1_i386.deb
914731485a0c002bc7d10764ac5d8929a7aad8fa 148370 libdbus-1-3_1.2.1-5+lenny1_i386.deb
1e887a4570b976a994fad61a5356cd1b4ff39df2 235620 libdbus-1-dev_1.2.1-5+lenny1_i386.deb
Checksums-Sha256:
e87773cd23970ba061e1293a50f8984dae5b1f353143bd758f56b8a61b6b1778 1608 dbus_1.2.1-5+lenny1.dsc
8016540602189e1dca6aca6b7c0735706387e4f85ced75217c6a874980fd0e86 1406833 dbus_1.2.1.orig.tar.gz
b8808ce29aac824b69a0e80870970415820520e754fc1ff0a25b0b3d892df5db 39470 dbus_1.2.1-5+lenny1.diff.gz
cf29d785b4cb4f6830dab13b8adc2611424f35821f313214b427fd79a8e88b2d 1830232 dbus-1-doc_1.2.1-5+lenny1_all.deb
d974b3d263993fd96a920404c8d144fc7f72ce7fe884d23a78de28780cf23b55 230180 dbus_1.2.1-5+lenny1_i386.deb
0f9ad985e7019072770652b51e104fd96375302e39260b8e73474d0437cf95cb 64064 dbus-x11_1.2.1-5+lenny1_i386.deb
3a9714642675aad7b1bc4178a09e00aa1ff825ab08e3921ee0e2e4870d874d74 148370 libdbus-1-3_1.2.1-5+lenny1_i386.deb
63c61f6f7c737867d81193693a452f94989bd4bb08e55f5a21ad51e1dd6c7d31 235620 libdbus-1-dev_1.2.1-5+lenny1_i386.deb
Files:
e084fe269b41c84cdeaafae2b2633e9f 1608 devel optional dbus_1.2.1-5+lenny1.dsc
b57aa1ba0834cbbb1e7502dc2cbfacc2 1406833 devel optional dbus_1.2.1.orig.tar.gz
6b875822ae5036ba8bf83f2fae11fbf0 39470 devel optional dbus_1.2.1-5+lenny1.diff.gz
317e72d84e019f0006d84e9579fa4b66 1830232 doc optional dbus-1-doc_1.2.1-5+lenny1_all.deb
7ca48ece6eb966598f45394fa6f61ecb 230180 devel optional dbus_1.2.1-5+lenny1_i386.deb
64e2b9c17836231e7abc0aff34690001 64064 x11 optional dbus-x11_1.2.1-5+lenny1_i386.deb
a6fef063aace9660fcd7b518a1658299 148370 libs optional libdbus-1-3_1.2.1-5+lenny1_i386.deb
ac4307dc10c03340beeb13eefac1f600 235620 libdevel optional libdbus-1-dev_1.2.1-5+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpD8WoACgkQh7PER70FhVTGXgCffMJZNkChf5Ao5UCvaIMQ6b2/
MgIAn3sWIsIH19vnNh/64OaGNVIK93Gr
=2R2o
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 31 Jan 2010 07:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:09:58 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.