SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   D-BUS Vendors:   Freedesktop.org
D-Bus _dbus_printf_string_upper_bound() Error Lets Local Users Deny Service
SecurityTracker Alert ID:  1028667
SecurityTracker URL:  http://securitytracker.com/id/1028667
CVE Reference:   CVE-2013-2168   (Links to External Site)
Date:  Jun 13 2013
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.16 - 1.4.26, 1.5.8 - 1.6.12
Description:   A vulnerability was reported in D-Bus. A local user can cause denial of service conditions.

A local user can trigger an error in _dbus_printf_string_upper_bound() and cause the target service using libdbus to crash.

x86-64 Linux is affected.

Alexandru Cornea reported this vulnerability.

Impact:   A local user can cause the target service using libdbus to crash.
Solution:   The vendor has issued a fix (1.4.26, 1.6.12, 1.7.4).
Vendor URL:  www.freedesktop.org/Software/dbus (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] CVE-2013-2168: dbus: DoS in system services caused by _dbus_printf_string_upper_bound

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. It is platform-specific:
x86-64 Linux is known to be affected.

This vulnerability is tracked as CVE-2013-2168 and is fixed in D-Bus
stable releases 1.4.26 and 1.6.12, and development release 1.7.4.
Upgrading is recommended.

Distributors who backport security fixes should use this commit:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7

On Unix platforms, this vulnerability was introduced in dbus versions
1.4.16 and 1.5.8 while fixing a portability bug, freedesktop.org #11668.
The 1.2.x branch is not vulnerable.

On Windows, a similar bug exists in all branches that have Windows
support. The D-Bus project does not support security-sensitive uses of
D-Bus on Windows.

Regards,
    Simon

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC