Executive Summary

Summary
Title D-Bus: Denial of Service
Informations
Name GLSA-200901-04 First vendor Publication 2009-01-11
Vendor Gentoo Last vendor Modification 2009-01-11
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

An error condition can cause D-Bus to crash.

Background

D-Bus is a daemon providing a framework for applications to communicate with one another.

Description

schelte reported that the dbus_signature_validate() function can trigger a failed assertion when processing a message containing a malformed signature.

Impact

A local user could send a specially crafted message to the D-Bus daemon, leading to a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All D-Bus users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.2.3-r1"

References

[ 1 ] CVE-2008-3834 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3834

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200901-04.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200901-04.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10253
 
Oval ID: oval:org.mitre.oval:def:10253
Title: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
Description: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
Family: unix Class: vulnerability
Reference(s): CVE-2008-3834
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17531
 
Oval ID: oval:org.mitre.oval:def:17531
Title: USN-653-1 -- dbus vulnerabilities
Description: Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies.
Family: unix Class: patch
Reference(s): USN-653-1
CVE-2008-0595
CVE-2008-3834
 Version: 7
Platform(s): Ubuntu 6.06
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04
 Product(s): dbus
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18560
 
Oval ID: oval:org.mitre.oval:def:18560
Title: DSA-1658-1 dbus - denial of service
Description: Colin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack.
Family: unix Class: patch
Reference(s): DSA-1658-1
CVE-2008-3834
 Version: 7
Platform(s): Debian GNU/Linux 4.0
 Product(s): dbus
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21763
 
Oval ID: oval:org.mitre.oval:def:21763
Title: ELSA-2009:0008: dbus security update (Moderate)
Description: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
Family: unix Class: patch
Reference(s): ELSA-2009:0008-01
CVE-2008-3834
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): dbus
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:29288
 
Oval ID: oval:org.mitre.oval:def:29288
Title: RHSA-2009:0008 -- dbus security update (Moderate)
Description: Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. A denial-of-service flaw was discovered in the system for sending messages between applications. A local user could send a message with a malformed signature to the bus causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2008-3834)
Family: unix Class: patch
Reference(s): RHSA-2009:0008
CESA-2009:0008-CentOS 5
CVE-2008-3834
 Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): dbus
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8101
 
Oval ID: oval:org.mitre.oval:def:8101
Title: DSA-1658 dbus -- programming error
Description: Colin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack.
Family: unix Class: patch
Reference(s): DSA-1658
CVE-2008-3834
 Version: 3
Platform(s): Debian GNU/Linux 4.0
 Product(s): dbus
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 47
Application 3
Application 1

ExploitDB Exploits

id Description
2009-01-19 D-Bus Daemon < 1.2.4 - (libdbus) Denial of Service Exploit

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for dbus CESA-2009:0008 centos5 i386
File : nvt/gb_CESA-2009_0008_dbus_centos5_i386.nasl
2011-08-09 Name : CentOS Update for dbus CESA-2010:0018 centos5 i386
File : nvt/gb_CESA-2010_0018_dbus_centos5_i386.nasl
2010-01-15 Name : RedHat Update for dbus RHSA-2010:0018-01
File : nvt/gb_RHSA-2010_0018-01_dbus.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:256-1 (dbus)
File : nvt/mdksa_2009_256_1.nasl
2009-10-13 Name : Mandrake Security Advisory MDVSA-2009:256 (dbus)
File : nvt/mdksa_2009_256.nasl
2009-10-13 Name : SLES10: Security update for dbus
File : nvt/sles10_dbus-10.nasl
2009-04-09 Name : Mandriva Update for dbus MDVSA-2008:213 (dbus)
File : nvt/gb_mandriva_MDVSA_2008_213.nasl
2009-03-23 Name : Ubuntu Update for dbus vulnerabilities USN-653-1
File : nvt/gb_ubuntu_USN_653_1.nasl
2009-02-17 Name : Fedora Update for dbus FEDORA-2008-8764
File : nvt/gb_fedora_2008_8764_dbus_fc9.nasl
2009-01-13 Name : Gentoo Security Advisory GLSA 200901-04 (dbus)
File : nvt/glsa_200901_04.nasl
2009-01-13 Name : CentOS Security Advisory CESA-2009:0008 (dbus)
File : nvt/ovcesa2009_0008.nasl
2009-01-07 Name : RedHat Security Advisory RHSA-2009:0008
File : nvt/RHSA_2009_0008.nasl
2008-11-01 Name : Debian Security Advisory DSA 1658-1 (dbus)
File : nvt/deb_1658_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
48990 D-bus Library (libdbus) dbus_signature_validate Function Malformed Signature ...

Nessus® Vulnerability Scanner

Date Description
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-750.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0018.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-0008.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20090107_dbus_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-12-13 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_dbus-1-7482.nasl - Type : ACT_GATHER_INFO
2011-04-29 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_dbus-1-7483.nasl - Type : ACT_GATHER_INFO
2011-04-29 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_dbus-1-110418.nasl - Type : ACT_GATHER_INFO
2010-01-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0018.nasl - Type : ACT_GATHER_INFO
2010-01-08 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0018.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-0008.nasl - Type : ACT_GATHER_INFO
2009-10-07 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-256.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_dbus-1-081016.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-213.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-653-1.nasl - Type : ACT_GATHER_INFO
2009-01-12 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200901-04.nasl - Type : ACT_GATHER_INFO
2009-01-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-0008.nasl - Type : ACT_GATHER_INFO
2008-12-04 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_dbus-1-5701.nasl - Type : ACT_GATHER_INFO
2008-10-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1658.nasl - Type : ACT_GATHER_INFO
2008-10-17 Name : The remote openSUSE host is missing a security update.
File : suse_dbus-1-5683.nasl - Type : ACT_GATHER_INFO
2008-10-10 Name : The remote Fedora host is missing a security update.
File : fedora_2008-8764.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:36:14
  • Multiple Updates