CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound
Simon McVittie
simon.mcvittie at collabora.co.uk
Thu Jun 13 04:50:20 PDT 2013
Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. It is platform-specific:
x86-64 Linux is known to be affected.
This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus
stable releases 1.4.26 and 1.6.12, and development release 1.7.4.
Upgrading is recommended.
Distributors who backport security fixes should use this commit:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7
On Unix platforms, this vulnerability was introduced in dbus versions
1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668.
The 1.2.x branch is not vulnerable.
On Windows, a similar bug exists in all branches that have Windows
support. The D-Bus project does not support security-sensitive uses of
D-Bus on Windows.
Regards,
Simon
More information about the dbus
mailing list