[Pkg-utopia-maintainers] Bug#629938: libdbus-1-3: local DoS via messages with non-native byte order

Simon McVittie smcv at debian.org
Thu Jun 9 18:20:27 UTC 2011


Package: libdbus-1-3
Version: 1.4.8-3
Severity: normal
Tags: security
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120

lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
into native endianness but does not swap the byte-order mark in messages
when swapping their byte order. As a result, if a message in non-native byte
order is sent through dbus-daemon to a system service like Avahi or
NetworkManager, that system service is likely to interpret the message as
invalid and disconnect from the system bus, leading to a local DoS.

This was raised, and promptly forgotten about, in 2007 (!), so it's already
public information. A fix is awaiting review upstream.

Debian Security Team, could you allocate a CVE ID if appropriate, please?
I suspect this is a job for stable-proposed-updates rather than a DSA, though.

Regards,
    S





More information about the Pkg-utopia-maintainers mailing list