Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2009:256-1 | First vendor Publication | 2009-12-05 |
Vendor | Mandriva | Last vendor Modification | 2009-12-05 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 3.6 | Attack Range | Local |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability was discovered and corrected in dbus: The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834 (CVE-2009-1189). This update provides a fix for this vulnerability. Update: Packages for 2008.0 are being provided due to extended support for Corporate products. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2009:256-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10253 | |||
Oval ID: | oval:org.mitre.oval:def:10253 | ||
Title: | The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. | ||
Description: | The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-3834 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10308 | |||
Oval ID: | oval:org.mitre.oval:def:10308 | ||
Title: | The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. | ||
Description: | The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-1189 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13451 | |||
Oval ID: | oval:org.mitre.oval:def:13451 | ||
Title: | DSA-1837-1 dbus -- programming error | ||
Description: | It was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1. For the stable distribution, this problem has been fixed in version 1.2.1-5+lenny1. For the oldstable distribution, this problem has been fixed in version 1.0.2-1+etch3. Packages for ia64 and s390 will be released once they are available. For the testing distribution and the unstable distribution , this problem has been fixed in version 1.2.14-1. We recommend that you upgrade your dbus packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1837-1 CVE-2009-1189 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | dbus |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13931 | |||
Oval ID: | oval:org.mitre.oval:def:13931 | ||
Title: | USN-799-1 -- dbus vulnerability | ||
Description: | It was discovered that the D-Bus library did not correctly validate signatures. If a local user sent a specially crafted D-Bus key, they could spoof a valid signature and bypass security policies. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-799-1 CVE-2009-1189 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 9.04 Ubuntu 6.06 Ubuntu 8.10 | Product(s): | dbus |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17531 | |||
Oval ID: | oval:org.mitre.oval:def:17531 | ||
Title: | USN-653-1 -- dbus vulnerabilities | ||
Description: | Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-653-1 CVE-2008-0595 CVE-2008-3834 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | dbus |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18560 | |||
Oval ID: | oval:org.mitre.oval:def:18560 | ||
Title: | DSA-1658-1 dbus - denial of service | ||
Description: | Colin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1658-1 CVE-2008-3834 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | dbus |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21763 | |||
Oval ID: | oval:org.mitre.oval:def:21763 | ||
Title: | ELSA-2009:0008: dbus security update (Moderate) | ||
Description: | The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:0008-01 CVE-2008-3834 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | dbus |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21815 | |||
Oval ID: | oval:org.mitre.oval:def:21815 | ||
Title: | RHSA-2010:0018: dbus security update (Moderate) | ||
Description: | The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0018-01 CESA-2010:0018 CVE-2009-1189 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | dbus |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22736 | |||
Oval ID: | oval:org.mitre.oval:def:22736 | ||
Title: | ELSA-2010:0018: dbus security update (Moderate) | ||
Description: | The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0018-01 CVE-2009-1189 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | dbus |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:28184 | |||
Oval ID: | oval:org.mitre.oval:def:28184 | ||
Title: | DEPRECATED: ELSA-2010-0018 -- dbus security update (moderate) | ||
Description: | [1.1.2-12.el5_4.1] - CVE-2009-1189 dbus: invalid fix for CVE-2008-3834 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0018 CVE-2009-1189 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | dbus |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29288 | |||
Oval ID: | oval:org.mitre.oval:def:29288 | ||
Title: | RHSA-2009:0008 -- dbus security update (Moderate) | ||
Description: | Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. A denial-of-service flaw was discovered in the system for sending messages between applications. A local user could send a message with a malformed signature to the bus causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2008-3834) | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:0008 CESA-2009:0008-CentOS 5 CVE-2008-3834 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | dbus |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7908 | |||
Oval ID: | oval:org.mitre.oval:def:7908 | ||
Title: | DSA-1837 dbus -- programming error | ||
Description: | It was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1837 CVE-2009-1189 | Version: | 3 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | dbus |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8101 | |||
Oval ID: | oval:org.mitre.oval:def:8101 | ||
Title: | DSA-1658 dbus -- programming error | ||
Description: | Colin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1658 CVE-2008-3834 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | dbus |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2009-01-19 | D-Bus Daemon < 1.2.4 - (libdbus) Denial of Service Exploit |
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for dbus CESA-2009:0008 centos5 i386 File : nvt/gb_CESA-2009_0008_dbus_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for dbus CESA-2010:0018 centos5 i386 File : nvt/gb_CESA-2010_0018_dbus_centos5_i386.nasl |
2010-01-15 | Name : RedHat Update for dbus RHSA-2010:0018-01 File : nvt/gb_RHSA-2010_0018-01_dbus.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:256-1 (dbus) File : nvt/mdksa_2009_256_1.nasl |
2009-10-13 | Name : Mandrake Security Advisory MDVSA-2009:256 (dbus) File : nvt/mdksa_2009_256.nasl |
2009-10-13 | Name : SLES10: Security update for dbus File : nvt/sles10_dbus-10.nasl |
2009-07-29 | Name : Debian Security Advisory DSA 1837-1 (dbus) File : nvt/deb_1837_1.nasl |
2009-07-29 | Name : Ubuntu USN-799-1 (dbus) File : nvt/ubuntu_799_1.nasl |
2009-07-29 | Name : Ubuntu USN-805-1 (ruby1.9) File : nvt/ubuntu_805_1.nasl |
2009-04-09 | Name : Mandriva Update for dbus MDVSA-2008:213 (dbus) File : nvt/gb_mandriva_MDVSA_2008_213.nasl |
2009-03-23 | Name : Ubuntu Update for dbus vulnerabilities USN-653-1 File : nvt/gb_ubuntu_USN_653_1.nasl |
2009-02-17 | Name : Fedora Update for dbus FEDORA-2008-8764 File : nvt/gb_fedora_2008_8764_dbus_fc9.nasl |
2009-01-13 | Name : Gentoo Security Advisory GLSA 200901-04 (dbus) File : nvt/glsa_200901_04.nasl |
2009-01-13 | Name : CentOS Security Advisory CESA-2009:0008 (dbus) File : nvt/ovcesa2009_0008.nasl |
2009-01-07 | Name : RedHat Security Advisory RHSA-2009:0008 File : nvt/RHSA_2009_0008.nasl |
2008-11-01 | Name : Debian Security Advisory DSA 1658-1 (dbus) File : nvt/deb_1658_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
56165 | D-Bus dbus-marshal-validate.c _dbus_validate_signature_with_reason Function C... |
48990 | D-bus Library (libdbus) dbus_signature_validate Function Malformed Signature ... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-08 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0004_remote.nasl - Type : ACT_GATHER_INFO |
2014-11-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0476.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-750.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0018.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0008.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100107_dbus_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090107_dbus_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2011-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_dbus-1-7482.nasl - Type : ACT_GATHER_INFO |
2011-04-29 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_dbus-1-110418.nasl - Type : ACT_GATHER_INFO |
2011-04-29 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_dbus-1-7483.nasl - Type : ACT_GATHER_INFO |
2010-03-05 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2010-0004.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1837.nasl - Type : ACT_GATHER_INFO |
2010-01-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0018.nasl - Type : ACT_GATHER_INFO |
2010-01-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0018.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0008.nasl - Type : ACT_GATHER_INFO |
2009-10-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-256.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_dbus-1-081016.nasl - Type : ACT_GATHER_INFO |
2009-07-14 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-799-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-213.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-653-1.nasl - Type : ACT_GATHER_INFO |
2009-01-12 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200901-04.nasl - Type : ACT_GATHER_INFO |
2009-01-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0008.nasl - Type : ACT_GATHER_INFO |
2008-12-04 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_dbus-1-5701.nasl - Type : ACT_GATHER_INFO |
2008-10-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1658.nasl - Type : ACT_GATHER_INFO |
2008-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_dbus-1-5683.nasl - Type : ACT_GATHER_INFO |
2008-10-10 | Name : The remote Fedora host is missing a security update. File : fedora_2008-8764.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:40:48 |
|
2013-05-11 00:47:44 |
|