CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound

Simon McVittie simon.mcvittie at
Thu Jun 13 04:50:20 PDT 2013

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. It is platform-specific:
x86-64 Linux is known to be affected.

This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus
stable releases 1.4.26 and 1.6.12, and development release 1.7.4.
Upgrading is recommended.

Distributors who backport security fixes should use this commit:

On Unix platforms, this vulnerability was introduced in dbus versions
1.4.16 and 1.5.8 while fixing a portability bug, #11668.
The 1.2.x branch is not vulnerable.

On Windows, a similar bug exists in all branches that have Windows
support. The D-Bus project does not support security-sensitive uses of
D-Bus on Windows.


More information about the dbus mailing list