dbus: CVE-2008-3834, possible DoS

Debian Bug report logs - #501443
dbus: CVE-2008-3834, possible DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-0595: possible DoS

Date: Tue, 07 Oct 2008 22:01:12 +1100

Package: dbus
Version: 1.2.1-3
Severity: important
Tags: security, patch

Hi

There is a potential DoS in dbus. Please see the upstream bug for
more explanations[0]. The patch is attached[1] to the bug and there is
also a Red Hat bug[2] about it. I am still unsure about the severity
and want to figure out, how common the vulnerability would be, but
I wanted to let you know, so you can work on updated packages for
sid and lenny already.

Please mention the CVE id in your changelog, when you fix this issue.

Cheers
Steffen

[0]: https://bugs.freedesktop.org/show_bug.cgi?id=17803

[1]: https://bugs.freedesktop.org/attachment.cgi?id=19288

[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4434

Message #10 received at 501443@bugs.debian.org (full text, mbox, reply):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>

To: 501443@bugs.debian.org, debian-security@lists.debian.org, control@bugs.debian.org

Subject: re: CVE-2008-0595: possible DoS in dbus

Date: Mon, 20 Oct 2008 14:23:46 -0400

retitle 501443 dbus: CVE-2008-3834, possible DoS
thank you

hello, now that ubuntu has released fixes for this issue [1], can we
hope to see the same action from debian soon?

note also that the original report had the wrong CVE in the title
(which i've fixed) and has a different wrong CVE in one of the links
in the message.  the correct CVE link is [2].

[1] http://www.ubuntu.com/usn/usn-653-1
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3834

Message #17 received at 501443@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@teco.edu>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 501443@bugs.debian.org

Cc: debian-security@lists.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#501443: CVE-2008-0595: possible DoS in dbus

Date: Mon, 20 Oct 2008 23:18:00 +0200

Quoting Michael Gilbert <michael.s.gilbert@gmail.com>:

> retitle 501443 dbus: CVE-2008-3834, possible DoS
> thank you
>
> hello, now that ubuntu has released fixes for this issue [1], can we
> hope to see the same action from debian soon?
>

Hi Michael,

thanks for the detailed bug report and apologies for the late reply.  
I'll prepare a new release in the next few days and will also try to  
get this fix into lenny.

Cheers,
Michael

------------------------------------------------------------
This mail was sent through TecO-Webmail: http://www.teco.edu

Message #22 received at 501443@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: control@bugs.debian.org

Cc: 501443@bugs.debian.org

Subject: severity of 501443 is grave

Date: Tue, 21 Oct 2008 12:58:09 +0200

# Automatically generated email from bts, devscripts version 2.10.35
# might be a problem in multi-user desktop environments (universities)
severity 501443 grave

Message #29 received at 501443-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 501443-close@bugs.debian.org

Subject: Bug#501443: fixed in dbus 1.2.1-4

Date: Sat, 25 Oct 2008 14:02:11 +0000

Source: dbus
Source-Version: 1.2.1-4

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.2.1-4_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.2.1-4_all.deb
dbus-x11_1.2.1-4_i386.deb
  to pool/main/d/dbus/dbus-x11_1.2.1-4_i386.deb
dbus_1.2.1-4.diff.gz
  to pool/main/d/dbus/dbus_1.2.1-4.diff.gz
dbus_1.2.1-4.dsc
  to pool/main/d/dbus/dbus_1.2.1-4.dsc
dbus_1.2.1-4_i386.deb
  to pool/main/d/dbus/dbus_1.2.1-4_i386.deb
libdbus-1-3_1.2.1-4_i386.deb
  to pool/main/d/dbus/libdbus-1-3_1.2.1-4_i386.deb
libdbus-1-dev_1.2.1-4_i386.deb
  to pool/main/d/dbus/libdbus-1-dev_1.2.1-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 25 Oct 2008 15:28:05 +0200
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-4
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 470121 501443 502408
Changes: 
 dbus (1.2.1-4) unstable; urgency=high
 .
   * debian/patches/CVE-2008-3834.patch
     - The dbus_signature_validate function in the D-bus library allows
       attackers to cause a denial of service (application abort) via a message
       containing a malformed signature, which triggers a failed assertion
       error. (Closes: #501443)
       Fixes: CVE-2008-3834
     - Urgency high for the security fix.
   * debian/patches/20-dbus-alpha-unaligned.patch
     - Fix misaligned memory access which causes "unaligned traps" on Alpha.
       (Closes: #502408)
   * debian/dbus.init
     - Add "status" action to init script. (Closes: #470121)
   * debian/control
     - Bump Depends on lsb-base to >= 3.2-14, which provides status_of_proc().
Checksums-Sha1: 
 8d180027e8b2f892130d557176b70451b21dec9d 1536 dbus_1.2.1-4.dsc
 57f92495c731bf1ad921ca3a96753b5d0b3a74c9 27997 dbus_1.2.1-4.diff.gz
 5b7878ed83757e73c3b1ff780535e4a1f24b7698 1819304 dbus-1-doc_1.2.1-4_all.deb
 3c5cd42441fcbeb7b18de4b81f03eaea497810f1 226896 dbus_1.2.1-4_i386.deb
 b40aab7ef9fb9d39094e9945ababb634c1e6b164 63376 dbus-x11_1.2.1-4_i386.deb
 44f354577f02dd3d1bdea2ffa246c449c533c41c 147356 libdbus-1-3_1.2.1-4_i386.deb
 fb22eb9f932c2ef75db8c7533a8dbe2860626da3 234420 libdbus-1-dev_1.2.1-4_i386.deb
Checksums-Sha256: 
 af0e09cd8578c9069021306c3772039c1e3f71211d886dac6adbe79ba07876f2 1536 dbus_1.2.1-4.dsc
 960ccc3821965de3d6af4bedcb8289058dc7105c4072623082a9f808068856d7 27997 dbus_1.2.1-4.diff.gz
 c27edca261375c292b4d59718f6cbc0b56bfe4c60da288104a5294486e50c2a1 1819304 dbus-1-doc_1.2.1-4_all.deb
 e0980eaa8523a31cd87b1435dc32f668b80a1b04cd87be2fafc8684146b2360f 226896 dbus_1.2.1-4_i386.deb
 672f50e6d668ad0ceee30041b13a3c60dd1f98960f4c3b8f1c6e9c1976475201 63376 dbus-x11_1.2.1-4_i386.deb
 8177472dc960b1f40aa814d8e7569c1ae0075fffd4e3574ebcd4e50d01d8a320 147356 libdbus-1-3_1.2.1-4_i386.deb
 10d4ecb7e15c7dc6afa3d725a223d1681b251fcfa9d0dfa092c831fcb2694b65 234420 libdbus-1-dev_1.2.1-4_i386.deb
Files: 
 6d6daf14f915c633c79b80fa09d275b9 1536 devel optional dbus_1.2.1-4.dsc
 cb4627493d5e1b3413f2a71d878f5498 27997 devel optional dbus_1.2.1-4.diff.gz
 862f32a303238c6ba1189c3f18d40677 1819304 doc optional dbus-1-doc_1.2.1-4_all.deb
 59de750c0db0f803f239e605e30929f0 226896 devel optional dbus_1.2.1-4_i386.deb
 02345c5d82d75394ef54d97687c8f0cf 63376 x11 optional dbus-x11_1.2.1-4_i386.deb
 9350602471beaf8c042547993c781112 147356 libs optional libdbus-1-3_1.2.1-4_i386.deb
 e4e9391d9abe8f9cc0b0dc7657bd2c75 234420 libdevel optional libdbus-1-dev_1.2.1-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkDIm4ACgkQh7PER70FhVT4lwCaArKN4KEF5XE9NUvGCoLzjtK4
C4wAoKvpi33yLrhuQ+VxSY5MCc1uYK19
=a05U
-----END PGP SIGNATURE-----

Message #34 received at 501443-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 501443-close@bugs.debian.org

Subject: Bug#501443: fixed in dbus 1.0.2-1+etch4

Date: Mon, 03 Nov 2008 19:52:28 +0000

Source: dbus
Source-Version: 1.0.2-1+etch4

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.0.2-1+etch4_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.0.2-1+etch4_all.deb
dbus-1-utils_1.0.2-1+etch4_i386.deb
  to pool/main/d/dbus/dbus-1-utils_1.0.2-1+etch4_i386.deb
dbus_1.0.2-1+etch4.diff.gz
  to pool/main/d/dbus/dbus_1.0.2-1+etch4.diff.gz
dbus_1.0.2-1+etch4.dsc
  to pool/main/d/dbus/dbus_1.0.2-1+etch4.dsc
dbus_1.0.2-1+etch4_i386.deb
  to pool/main/d/dbus/dbus_1.0.2-1+etch4_i386.deb
libdbus-1-3_1.0.2-1+etch4_i386.deb
  to pool/main/d/dbus/libdbus-1-3_1.0.2-1+etch4_i386.deb
libdbus-1-dev_1.0.2-1+etch4_i386.deb
  to pool/main/d/dbus/libdbus-1-dev_1.0.2-1+etch4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Oct 2008 10:25:43 +0000
Source: dbus
Binary: dbus-1-doc libdbus-1-dev libdbus-1-3 dbus dbus-1-utils
Architecture: source all i386
Version: 1.0.2-1+etch4
Distribution: stable-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-1-utils - simple interprocess messaging system (utilities)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 501443
Changes: 
 dbus (1.0.2-1+etch4) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * The dbus_signature_validate function does not validate properly,
     which could be used to perform a DoS (Closes: #501443)
     Fixes: CVE-2008-3834
Files: 
 476bb3df500c50f67b4088317482e0ef 824 devel optional dbus_1.0.2-1+etch4.dsc
 27df2fd0bc5cb93069d6c10d89e0214a 19909 devel optional dbus_1.0.2-1+etch4.diff.gz
 68e4e1787515928f95af670ec2677663 1623126 doc optional dbus-1-doc_1.0.2-1+etch4_all.deb
 cfa20eea1e6e8be195d520199e8415c6 349844 devel optional dbus_1.0.2-1+etch4_i386.deb
 ebf1993ab8d40f4d10becd43324c3fb7 269032 libs optional libdbus-1-3_1.0.2-1+etch4_i386.deb
 98c8270b762a20bffc194124562c2a68 184284 utils optional dbus-1-utils_1.0.2-1+etch4_i386.deb
 116b0084af4713242092e2b07a64734f 335874 libdevel optional libdbus-1-dev_1.0.2-1+etch4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj9t8sACgkQ62zWxYk/rQdFVACcCAdNfJeB+vAT6vyHFXNcxX3+
tlwAoL5t1EEXce7Z/s0jl43aq53UzFLp
=q7OK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.