[Secure-testing-commits] r45177 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Mon Oct 10 12:27:49 UTC 2016
Author: carnil
Date: 2016-10-10 12:27:49 +0000 (Mon, 10 Oct 2016)
New Revision: 45177
Modified:
data/CVE/list
Log:
Add temporary entry for new dbus issue
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-10-10 08:17:08 UTC (rev 45176)
+++ data/CVE/list 2016-10-10 12:27:49 UTC (rev 45177)
@@ -1,3 +1,17 @@
+CVE-2016-XXXX [dbus format string vulnerability]
+ - dbus <unfixed>
+ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=98157
+ NOTE: Versions affected: dbus >= 1.4.0
+ NOTE: Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
+ NOTE: http://www.openwall.com/lists/oss-security/2016/10/10/9
+ NOTE: In Debian CVE-2015-0245 was already fixed, and this issue is
+ NOTE: not believed to be exploitable in practice, because the relevant
+ NOTE: message is ignored unless it comes from the owner of the bus name
+ NOTE: org.freedesktop.systemd1. On the system bus, this bus name is only
+ NOTE: allowed to be owned by uid 0; it is intended to be owned by systemd,
+ NOTE: and no mechanism is currently known by which an attacker who does not
+ NOTE: already have root privileges could induce systemd to send messages
+ NOTE: that would trigger the format string vulnerability.
CVE-2016-XXXX [dwarf_util.c: heap-based buffer overflow in _dwarf_get_size_of_val]
- dwarfutils <unfixed>
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/11
More information about the Secure-testing-commits
mailing list