Debian Bug report logs -
#501443
dbus: CVE-2008-3834, possible DoS
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Tue, 7 Oct 2008 12:03:01 UTC
Severity: grave
Tags: patch, security
Found in version dbus/1.2.1-3
Fixed in versions dbus/1.2.1-4, dbus/1.0.2-1+etch4
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#501443
; Package dbus
.
(Tue, 07 Oct 2008 12:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Tue, 07 Oct 2008 12:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dbus
Version: 1.2.1-3
Severity: important
Tags: security, patch
Hi
There is a potential DoS in dbus. Please see the upstream bug for
more explanations[0]. The patch is attached[1] to the bug and there is
also a Red Hat bug[2] about it. I am still unsure about the severity
and want to figure out, how common the vulnerability would be, but
I wanted to let you know, so you can work on updated packages for
sid and lenny already.
Please mention the CVE id in your changelog, when you fix this issue.
Cheers
Steffen
[0]: https://bugs.freedesktop.org/show_bug.cgi?id=17803
[1]: https://bugs.freedesktop.org/attachment.cgi?id=19288
[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4434
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#501443
; Package dbus
.
(Mon, 20 Oct 2008 18:24:11 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Mon, 20 Oct 2008 18:24:11 GMT) (full text, mbox, link).
Message #10 received at 501443@bugs.debian.org (full text, mbox, reply):
retitle 501443 dbus: CVE-2008-3834, possible DoS
thank you
hello, now that ubuntu has released fixes for this issue [1], can we
hope to see the same action from debian soon?
note also that the original report had the wrong CVE in the title
(which i've fixed) and has a different wrong CVE in one of the links
in the message. the correct CVE link is [2].
[1] http://www.ubuntu.com/usn/usn-653-1
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3834
Changed Bug title to `dbus: CVE-2008-3834, possible DoS' from `CVE-2008-0595: possible DoS'.
Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Mon, 20 Oct 2008 18:24:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#501443
; Package dbus
.
(Mon, 20 Oct 2008 21:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Biebl <biebl@teco.edu>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Mon, 20 Oct 2008 21:21:05 GMT) (full text, mbox, link).
Message #17 received at 501443@bugs.debian.org (full text, mbox, reply):
Quoting Michael Gilbert <michael.s.gilbert@gmail.com>:
> retitle 501443 dbus: CVE-2008-3834, possible DoS
> thank you
>
> hello, now that ubuntu has released fixes for this issue [1], can we
> hope to see the same action from debian soon?
>
Hi Michael,
thanks for the detailed bug report and apologies for the late reply.
I'll prepare a new release in the next few days and will also try to
get this fix into lenny.
Cheers,
Michael
------------------------------------------------------------
This mail was sent through TecO-Webmail: http://www.teco.edu
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#501443
; Package dbus
.
(Tue, 21 Oct 2008 11:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Tue, 21 Oct 2008 11:00:02 GMT) (full text, mbox, link).
Message #22 received at 501443@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.35
# might be a problem in multi-user desktop environments (universities)
severity 501443 grave
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 21 Oct 2008 11:00:03 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Sat, 25 Oct 2008 14:21:10 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Sat, 25 Oct 2008 14:21:10 GMT) (full text, mbox, link).
Message #29 received at 501443-close@bugs.debian.org (full text, mbox, reply):
Source: dbus
Source-Version: 1.2.1-4
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:
dbus-1-doc_1.2.1-4_all.deb
to pool/main/d/dbus/dbus-1-doc_1.2.1-4_all.deb
dbus-x11_1.2.1-4_i386.deb
to pool/main/d/dbus/dbus-x11_1.2.1-4_i386.deb
dbus_1.2.1-4.diff.gz
to pool/main/d/dbus/dbus_1.2.1-4.diff.gz
dbus_1.2.1-4.dsc
to pool/main/d/dbus/dbus_1.2.1-4.dsc
dbus_1.2.1-4_i386.deb
to pool/main/d/dbus/dbus_1.2.1-4_i386.deb
libdbus-1-3_1.2.1-4_i386.deb
to pool/main/d/dbus/libdbus-1-3_1.2.1-4_i386.deb
libdbus-1-dev_1.2.1-4_i386.deb
to pool/main/d/dbus/libdbus-1-dev_1.2.1-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 25 Oct 2008 15:28:05 +0200
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-4
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
dbus - simple interprocess messaging system
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 470121 501443 502408
Changes:
dbus (1.2.1-4) unstable; urgency=high
.
* debian/patches/CVE-2008-3834.patch
- The dbus_signature_validate function in the D-bus library allows
attackers to cause a denial of service (application abort) via a message
containing a malformed signature, which triggers a failed assertion
error. (Closes: #501443)
Fixes: CVE-2008-3834
- Urgency high for the security fix.
* debian/patches/20-dbus-alpha-unaligned.patch
- Fix misaligned memory access which causes "unaligned traps" on Alpha.
(Closes: #502408)
* debian/dbus.init
- Add "status" action to init script. (Closes: #470121)
* debian/control
- Bump Depends on lsb-base to >= 3.2-14, which provides status_of_proc().
Checksums-Sha1:
8d180027e8b2f892130d557176b70451b21dec9d 1536 dbus_1.2.1-4.dsc
57f92495c731bf1ad921ca3a96753b5d0b3a74c9 27997 dbus_1.2.1-4.diff.gz
5b7878ed83757e73c3b1ff780535e4a1f24b7698 1819304 dbus-1-doc_1.2.1-4_all.deb
3c5cd42441fcbeb7b18de4b81f03eaea497810f1 226896 dbus_1.2.1-4_i386.deb
b40aab7ef9fb9d39094e9945ababb634c1e6b164 63376 dbus-x11_1.2.1-4_i386.deb
44f354577f02dd3d1bdea2ffa246c449c533c41c 147356 libdbus-1-3_1.2.1-4_i386.deb
fb22eb9f932c2ef75db8c7533a8dbe2860626da3 234420 libdbus-1-dev_1.2.1-4_i386.deb
Checksums-Sha256:
af0e09cd8578c9069021306c3772039c1e3f71211d886dac6adbe79ba07876f2 1536 dbus_1.2.1-4.dsc
960ccc3821965de3d6af4bedcb8289058dc7105c4072623082a9f808068856d7 27997 dbus_1.2.1-4.diff.gz
c27edca261375c292b4d59718f6cbc0b56bfe4c60da288104a5294486e50c2a1 1819304 dbus-1-doc_1.2.1-4_all.deb
e0980eaa8523a31cd87b1435dc32f668b80a1b04cd87be2fafc8684146b2360f 226896 dbus_1.2.1-4_i386.deb
672f50e6d668ad0ceee30041b13a3c60dd1f98960f4c3b8f1c6e9c1976475201 63376 dbus-x11_1.2.1-4_i386.deb
8177472dc960b1f40aa814d8e7569c1ae0075fffd4e3574ebcd4e50d01d8a320 147356 libdbus-1-3_1.2.1-4_i386.deb
10d4ecb7e15c7dc6afa3d725a223d1681b251fcfa9d0dfa092c831fcb2694b65 234420 libdbus-1-dev_1.2.1-4_i386.deb
Files:
6d6daf14f915c633c79b80fa09d275b9 1536 devel optional dbus_1.2.1-4.dsc
cb4627493d5e1b3413f2a71d878f5498 27997 devel optional dbus_1.2.1-4.diff.gz
862f32a303238c6ba1189c3f18d40677 1819304 doc optional dbus-1-doc_1.2.1-4_all.deb
59de750c0db0f803f239e605e30929f0 226896 devel optional dbus_1.2.1-4_i386.deb
02345c5d82d75394ef54d97687c8f0cf 63376 x11 optional dbus-x11_1.2.1-4_i386.deb
9350602471beaf8c042547993c781112 147356 libs optional libdbus-1-3_1.2.1-4_i386.deb
e4e9391d9abe8f9cc0b0dc7657bd2c75 234420 libdevel optional libdbus-1-dev_1.2.1-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkDIm4ACgkQh7PER70FhVT4lwCaArKN4KEF5XE9NUvGCoLzjtK4
C4wAoKvpi33yLrhuQ+VxSY5MCc1uYK19
=a05U
-----END PGP SIGNATURE-----
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Mon, 03 Nov 2008 20:21:08 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Mon, 03 Nov 2008 20:21:09 GMT) (full text, mbox, link).
Message #34 received at 501443-close@bugs.debian.org (full text, mbox, reply):
Source: dbus
Source-Version: 1.0.2-1+etch4
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:
dbus-1-doc_1.0.2-1+etch4_all.deb
to pool/main/d/dbus/dbus-1-doc_1.0.2-1+etch4_all.deb
dbus-1-utils_1.0.2-1+etch4_i386.deb
to pool/main/d/dbus/dbus-1-utils_1.0.2-1+etch4_i386.deb
dbus_1.0.2-1+etch4.diff.gz
to pool/main/d/dbus/dbus_1.0.2-1+etch4.diff.gz
dbus_1.0.2-1+etch4.dsc
to pool/main/d/dbus/dbus_1.0.2-1+etch4.dsc
dbus_1.0.2-1+etch4_i386.deb
to pool/main/d/dbus/dbus_1.0.2-1+etch4_i386.deb
libdbus-1-3_1.0.2-1+etch4_i386.deb
to pool/main/d/dbus/libdbus-1-3_1.0.2-1+etch4_i386.deb
libdbus-1-dev_1.0.2-1+etch4_i386.deb
to pool/main/d/dbus/libdbus-1-dev_1.0.2-1+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 21 Oct 2008 10:25:43 +0000
Source: dbus
Binary: dbus-1-doc libdbus-1-dev libdbus-1-3 dbus dbus-1-utils
Architecture: source all i386
Version: 1.0.2-1+etch4
Distribution: stable-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
dbus - simple interprocess messaging system
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-1-utils - simple interprocess messaging system (utilities)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 501443
Changes:
dbus (1.0.2-1+etch4) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* The dbus_signature_validate function does not validate properly,
which could be used to perform a DoS (Closes: #501443)
Fixes: CVE-2008-3834
Files:
476bb3df500c50f67b4088317482e0ef 824 devel optional dbus_1.0.2-1+etch4.dsc
27df2fd0bc5cb93069d6c10d89e0214a 19909 devel optional dbus_1.0.2-1+etch4.diff.gz
68e4e1787515928f95af670ec2677663 1623126 doc optional dbus-1-doc_1.0.2-1+etch4_all.deb
cfa20eea1e6e8be195d520199e8415c6 349844 devel optional dbus_1.0.2-1+etch4_i386.deb
ebf1993ab8d40f4d10becd43324c3fb7 269032 libs optional libdbus-1-3_1.0.2-1+etch4_i386.deb
98c8270b762a20bffc194124562c2a68 184284 utils optional dbus-1-utils_1.0.2-1+etch4_i386.deb
116b0084af4713242092e2b07a64734f 335874 libdevel optional libdbus-1-dev_1.0.2-1+etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj9t8sACgkQ62zWxYk/rQdFVACcCAdNfJeB+vAT6vyHFXNcxX3+
tlwAoL5t1EEXce7Z/s0jl43aq53UzFLp
=q7OK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 02 Dec 2008 07:28:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:00:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.