Debian Bug report logs - #532720
dbus: CVE-2009-1189 incomplete fix for CVE-2008-3834

version graph

Package: dbus; Maintainer for dbus is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>; Source for dbus is src:dbus.

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Wed, 10 Jun 2009 22:24:04 UTC

Severity: grave

Tags: patch, security

Found in versions dbus/1.2.1-5, dbus/1.0.2-1+etch2

Fixed in versions dbus/1.2.14-2, 1.0.2-1+etch3, 1.2.1-5+lenny1

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#532720; Package dbus. (Wed, 10 Jun 2009 22:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Wed, 10 Jun 2009 22:24:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: dbus: CVE-2009-1189 incomplete fix for CVE-2008-3834
Date: Wed, 10 Jun 2009 18:25:00 -0400
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dbus.

CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
| incorrect logic to validate a basic type, which allows remote
| attackers to spoof a signature via a crafted key.  NOTE: this is due
| to an incorrect fix for CVE-2008-3834.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.  Patches available [1].

Please coordinate with the security team to prepare updates for the
stable releases.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1189
    http://security-tracker.debian.net/tracker/CVE-2009-1189
[1] http://bugs.freedesktop.org/show_bug.cgi?id=17803




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#532720; Package dbus. (Wed, 10 Jun 2009 22:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(Wed, 10 Jun 2009 22:30:02 GMT) Full text and rfc822 format available.


Message #10 received at 532720@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: 532720@bugs.debian.org, control@bugs.debian.org
Date: Wed, 10 Jun 2009 18:31:16 -0400
found 532720 1.0.2-1+etch2
thank you

note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433




Bug marked as found in version 1.0.2-1+etch2. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Wed, 10 Jun 2009 22:30:03 GMT) Full text and rfc822 format available.

Bug no longer marked as found in version 1.2.14-1. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Wed, 10 Jun 2009 22:36:02 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.2.14-2. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Wed, 10 Jun 2009 22:39:04 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.0.2-1+etch3. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Tue, 21 Jul 2009 01:18:02 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.2.1-5+lenny1. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Tue, 21 Jul 2009 01:18:04 GMT) Full text and rfc822 format available.

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Tue, 21 Jul 2009 01:18:06 GMT) Full text and rfc822 format available.

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Tue, 21 Jul 2009 01:18:07 GMT) Full text and rfc822 format available.

Message #25 received at 532720-done@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 532720-done@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#532720: dbus: CVE-2009-1189 incomplete fix for CVE-2008-3834
Date: Tue, 21 Jul 2009 03:17:14 +0200
[Message part 1 (text/plain, inline)]
Michael S. Gilbert wrote:
> Package: dbus
> Version: 1.2.1-5
> Severity: grave
> Tags: security , patch
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for dbus.
> 
> CVE-2009-1189[0]:
> | The _dbus_validate_signature_with_reason function
> | (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
> | incorrect logic to validate a basic type, which allows remote
> | attackers to spoof a signature via a crafted key.  NOTE: this is due
> | to an incorrect fix for CVE-2008-3834.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.  Patches available [1].
> 
> Please coordinate with the security team to prepare updates for the
> stable releases.

Closing the bug report. Fixed packages are now in old-stable, stable, testing
and unstable.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Sun, 20 Sep 2009 20:15:17 GMT) Full text and rfc822 format available.

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 20 Sep 2009 20:15:18 GMT) Full text and rfc822 format available.

Message #30 received at 532720-close@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 532720-close@bugs.debian.org
Subject: Bug#532720: fixed in dbus 1.2.1-5+lenny1
Date: Sun, 20 Sep 2009 19:58:04 +0000
Source: dbus
Source-Version: 1.2.1-5+lenny1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.2.1-5+lenny1_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.2.1-5+lenny1_all.deb
dbus-x11_1.2.1-5+lenny1_i386.deb
  to pool/main/d/dbus/dbus-x11_1.2.1-5+lenny1_i386.deb
dbus_1.2.1-5+lenny1.diff.gz
  to pool/main/d/dbus/dbus_1.2.1-5+lenny1.diff.gz
dbus_1.2.1-5+lenny1.dsc
  to pool/main/d/dbus/dbus_1.2.1-5+lenny1.dsc
dbus_1.2.1-5+lenny1_i386.deb
  to pool/main/d/dbus/dbus_1.2.1-5+lenny1_i386.deb
libdbus-1-3_1.2.1-5+lenny1_i386.deb
  to pool/main/d/dbus/libdbus-1-3_1.2.1-5+lenny1_i386.deb
libdbus-1-dev_1.2.1-5+lenny1_i386.deb
  to pool/main/d/dbus/libdbus-1-dev_1.2.1-5+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 532720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 18 Jun 2009 06:12:34 +0200
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-5+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 532720
Changes: 
 dbus (1.2.1-5+lenny1) stable-security; urgency=high
 .
   * debian/patches/52-CVE-2009-1189.patch
     - Security: The _dbus_validate_signature_with_reason function
       (dbus-marshal-validate.c) uses incorrect logic to validate a basic type,
       which allows remote attackers to spoof a signature via a crafted key.
       NOTE: this is due to an incorrect fix for CVE-2008-3834
       Closes: #532720
       Fixes: CVE-2009-1189
   * Urgency high for the security fix.
Checksums-Sha1: 
 cb786094e2c5f84f8debd3f3689502ff47dbb415 1608 dbus_1.2.1-5+lenny1.dsc
 2c5b38d51b486e0143faf7749d298e07a8c71223 1406833 dbus_1.2.1.orig.tar.gz
 00c1dca59e66dc869d7fda75f3966faefe65e3a7 39470 dbus_1.2.1-5+lenny1.diff.gz
 d91d2bbb214b730ecbe1cd4723f0f2abea81c334 1830232 dbus-1-doc_1.2.1-5+lenny1_all.deb
 f49025e8f7037851ddaa977e0e958a64600fd6a6 230180 dbus_1.2.1-5+lenny1_i386.deb
 3d60281a46b9c81d7641c8b483801e6ac14e9c0f 64064 dbus-x11_1.2.1-5+lenny1_i386.deb
 914731485a0c002bc7d10764ac5d8929a7aad8fa 148370 libdbus-1-3_1.2.1-5+lenny1_i386.deb
 1e887a4570b976a994fad61a5356cd1b4ff39df2 235620 libdbus-1-dev_1.2.1-5+lenny1_i386.deb
Checksums-Sha256: 
 e87773cd23970ba061e1293a50f8984dae5b1f353143bd758f56b8a61b6b1778 1608 dbus_1.2.1-5+lenny1.dsc
 8016540602189e1dca6aca6b7c0735706387e4f85ced75217c6a874980fd0e86 1406833 dbus_1.2.1.orig.tar.gz
 b8808ce29aac824b69a0e80870970415820520e754fc1ff0a25b0b3d892df5db 39470 dbus_1.2.1-5+lenny1.diff.gz
 cf29d785b4cb4f6830dab13b8adc2611424f35821f313214b427fd79a8e88b2d 1830232 dbus-1-doc_1.2.1-5+lenny1_all.deb
 d974b3d263993fd96a920404c8d144fc7f72ce7fe884d23a78de28780cf23b55 230180 dbus_1.2.1-5+lenny1_i386.deb
 0f9ad985e7019072770652b51e104fd96375302e39260b8e73474d0437cf95cb 64064 dbus-x11_1.2.1-5+lenny1_i386.deb
 3a9714642675aad7b1bc4178a09e00aa1ff825ab08e3921ee0e2e4870d874d74 148370 libdbus-1-3_1.2.1-5+lenny1_i386.deb
 63c61f6f7c737867d81193693a452f94989bd4bb08e55f5a21ad51e1dd6c7d31 235620 libdbus-1-dev_1.2.1-5+lenny1_i386.deb
Files: 
 e084fe269b41c84cdeaafae2b2633e9f 1608 devel optional dbus_1.2.1-5+lenny1.dsc
 b57aa1ba0834cbbb1e7502dc2cbfacc2 1406833 devel optional dbus_1.2.1.orig.tar.gz
 6b875822ae5036ba8bf83f2fae11fbf0 39470 devel optional dbus_1.2.1-5+lenny1.diff.gz
 317e72d84e019f0006d84e9579fa4b66 1830232 doc optional dbus-1-doc_1.2.1-5+lenny1_all.deb
 7ca48ece6eb966598f45394fa6f61ecb 230180 devel optional dbus_1.2.1-5+lenny1_i386.deb
 64e2b9c17836231e7abc0aff34690001 64064 x11 optional dbus-x11_1.2.1-5+lenny1_i386.deb
 a6fef063aace9660fcd7b518a1658299 148370 libs optional libdbus-1-3_1.2.1-5+lenny1_i386.deb
 ac4307dc10c03340beeb13eefac1f600 235620 libdevel optional libdbus-1-dev_1.2.1-5+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpD8WoACgkQh7PER70FhVTGXgCffMJZNkChf5Ao5UCvaIMQ6b2/
MgIAn3sWIsIH19vnNh/64OaGNVIK93Gr
=2R2o
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:30:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:09:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.