Debian Bug report logs - #629938
libdbus-1-3: [CVE-2011-2200] local DoS via messages with non-native byte order

version graph

Package: libdbus-1-3; Maintainer for libdbus-1-3 is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>; Source for libdbus-1-3 is src:dbus.

Reported by: Simon McVittie <smcv@debian.org>

Date: Thu, 9 Jun 2011 18:21:02 UTC

Severity: normal

Tags: security

Found in versions dbus/1.2.1-5+lenny1, dbus/1.4.8-3, dbus/1.2.24-4

Fixed in versions dbus/1.4.12-1, dbus/1.5.4-1, dbus/1.2.24-4+squeeze1

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.freedesktop.org/show_bug.cgi?id=38120

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#629938; Package libdbus-1-3. (Thu, 09 Jun 2011 18:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Thu, 09 Jun 2011 18:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libdbus-1-3: local DoS via messages with non-native byte order
Date: Thu, 9 Jun 2011 19:20:27 +0100
Package: libdbus-1-3
Version: 1.4.8-3
Severity: normal
Tags: security
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120

lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
into native endianness but does not swap the byte-order mark in messages
when swapping their byte order. As a result, if a message in non-native byte
order is sent through dbus-daemon to a system service like Avahi or
NetworkManager, that system service is likely to interpret the message as
invalid and disconnect from the system bus, leading to a local DoS.

This was raised, and promptly forgotten about, in 2007 (!), so it's already
public information. A fix is awaiting review upstream.

Debian Security Team, could you allocate a CVE ID if appropriate, please?
I suspect this is a job for stable-proposed-updates rather than a DSA, though.

Regards,
    S




Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Fri, 10 Jun 2011 22:03:13 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Fri, 10 Jun 2011 22:03:13 GMT) Full text and rfc822 format available.

Message #10 received at 629938-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 629938-close@bugs.debian.org
Subject: Bug#629938: fixed in dbus 1.4.12-1
Date: Fri, 10 Jun 2011 22:02:25 +0000
Source: dbus
Source-Version: 1.4.12-1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-dbg_1.4.12-1_amd64.deb
  to main/d/dbus/dbus-1-dbg_1.4.12-1_amd64.deb
dbus-1-doc_1.4.12-1_all.deb
  to main/d/dbus/dbus-1-doc_1.4.12-1_all.deb
dbus-x11_1.4.12-1_amd64.deb
  to main/d/dbus/dbus-x11_1.4.12-1_amd64.deb
dbus_1.4.12-1.debian.tar.gz
  to main/d/dbus/dbus_1.4.12-1.debian.tar.gz
dbus_1.4.12-1.dsc
  to main/d/dbus/dbus_1.4.12-1.dsc
dbus_1.4.12-1_amd64.deb
  to main/d/dbus/dbus_1.4.12-1_amd64.deb
dbus_1.4.12.orig.tar.gz
  to main/d/dbus/dbus_1.4.12.orig.tar.gz
libdbus-1-3_1.4.12-1_amd64.deb
  to main/d/dbus/libdbus-1-3_1.4.12-1_amd64.deb
libdbus-1-dev_1.4.12-1_amd64.deb
  to main/d/dbus/libdbus-1-dev_1.4.12-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 10 Jun 2011 22:39:14 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source amd64 all
Version: 1.4.12-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 629938
Changes: 
 dbus (1.4.12-1) unstable; urgency=medium
 .
   * New upstream release fixes local DoS (Closes: #629938, no CVE number yet)
   * Don't delete jquery.js, no longer installed by recent Doxygen
   * Build-depend on libglib2.0-dev, libdbus-glib-1-dev for better regression
     test coverage (dbus-glib is a circular dependency, but both of these
     dependencies can be dropped if bootstrapping new architectures)
Checksums-Sha1: 
 be2b37ac2523b5158ad3f0d11c8e9137da7de9ca 2193 dbus_1.4.12-1.dsc
 6288a0826fe02d02ddbe62af03c9401501e69cc2 1878025 dbus_1.4.12.orig.tar.gz
 90c3e9999e7279be640e29831cc649a370d97dfb 31093 dbus_1.4.12-1.debian.tar.gz
 4cfc489b4ebb5470321908517ae04219f31a8bb4 387426 dbus_1.4.12-1_amd64.deb
 101cdabb5bd270b200a4606fb8ab4078f866f674 50646 dbus-x11_1.4.12-1_amd64.deb
 c59a47ffbaede2495861c843de317092fd22daf1 161198 libdbus-1-3_1.4.12-1_amd64.deb
 6951244d867419ed22d6bde7596cf0f011f459ef 1975704 dbus-1-doc_1.4.12-1_all.deb
 1b9be1bc6e59cdff6e834b5e77ac3adfd7642b81 240288 libdbus-1-dev_1.4.12-1_amd64.deb
 b40e76f0a506bbf727fb298ba7a52ac6521d3376 3588954 dbus-1-dbg_1.4.12-1_amd64.deb
Checksums-Sha256: 
 1f1c1da20303d606a2e75a81650cc349a3ef7062bc694157b62740fd3387c67a 2193 dbus_1.4.12-1.dsc
 da3c97fd546610558d588799e27c4fa81101e754acbcd34747a42c131f30dbe7 1878025 dbus_1.4.12.orig.tar.gz
 678f49e4265690205a7880831b4493d4c98fe53cc60f16b8ed99e240ddc7e32b 31093 dbus_1.4.12-1.debian.tar.gz
 73937ffcc5e52d5a814e5c8cfe4b9e58d8fd9be65bf779c413e6d64106b3e061 387426 dbus_1.4.12-1_amd64.deb
 34ef3afefcf621f091378cbc4dd9ae79d3acaa018c431db5258ed3bb92317220 50646 dbus-x11_1.4.12-1_amd64.deb
 414fb7bcaa49f10915225b2660439404cf227fb19541cc0309fa8b11a126e319 161198 libdbus-1-3_1.4.12-1_amd64.deb
 8cde71abc2f616faf3074557fb6aca305948a38298e9831a106763a5286d5704 1975704 dbus-1-doc_1.4.12-1_all.deb
 edef52f0c3e985c919f38f6de9be8198c6881aa59e4164a36399326b5056b953 240288 libdbus-1-dev_1.4.12-1_amd64.deb
 150cb4e626d7747acdfd01f9041173666142b38619ffbe6ff8aa67295cafe716 3588954 dbus-1-dbg_1.4.12-1_amd64.deb
Files: 
 9c33425029958e5dfbfbae32bd356c36 2193 devel optional dbus_1.4.12-1.dsc
 104f2ea94c10a896dfb1edecb5714cb1 1878025 devel optional dbus_1.4.12.orig.tar.gz
 28b6e36a18cef393da9f574aee668bf0 31093 devel optional dbus_1.4.12-1.debian.tar.gz
 cfd6419572aca5dd73e921ae27e3bfcf 387426 devel optional dbus_1.4.12-1_amd64.deb
 2be7db11b49bf1ff76ae0c3994b6d7e8 50646 x11 optional dbus-x11_1.4.12-1_amd64.deb
 94480f9c40ca3686f80609fde9b4f43c 161198 libs optional libdbus-1-3_1.4.12-1_amd64.deb
 ee8877df6fb10e29532818072a410bfa 1975704 doc optional dbus-1-doc_1.4.12-1_all.deb
 30ff0aef270bdba91f76116e194978ce 240288 libdevel optional libdbus-1-dev_1.4.12-1_amd64.deb
 b0b2747412025b82fe5c95d443054373 3588954 debug extra dbus-1-dbg_1.4.12-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBTfKRVk3o/ypjx8yQAQiRrBAAnAIX+gQcpC7HwQPULoTJFPKa+6XFDMEv
P5GJ8vMqWb3r7YBTZewTsB2e4Rr/ELuf+QrpQ3mWtj/3EpEU3pvdZDGoVE5Azjad
ZhL/oKb9xrqZYS+CCSG2V3J0FdyYWRRXcT0rBj5Kg6B0Neu8ml94aqDoC5+GDW6d
BxqQZJeY/H1bzO+one2Ehj7/qIwOpTXS/0pbZwovh9Cnm+AkT0PkGkKPLZnNvWuZ
KYjxYfmqkMrKZ2pG/ehdh1us2lFIY7M+AT3O+9Xevkolg9CiUGiesTehZyzfioLA
IoeUUeRS0pcVNKTWo2KUn3dcpyrvUkxiz1YWPS6/fQoQBcPkqWr3gut75R8yOp5D
18MKgMibPWV7DTQ9z+NTJsAW+saAvOThi1J47PAizX1jUePfPRHhuP/mZc5jTgnZ
3rvUdQ4sUcUWn98NNVTCcEc7mjccGYT/JMEpoBS7aVh0k7mcqfAg3etc+WEAbOjU
MU7cMkfQKcIduNoDPonXQuGFSrHDKzu6CnMFu1Zf8j/sQOhYorIInqWmzIO5Jv1X
5uL7B6WlhFKbdi3mFT4pXVPJ9pKbfpHaakV2zwrs7xJR6N2pugqDEJYnckXQjZjA
SKPFa1P/dSJ9isdaTgukXT+Hc8LqLNrmpZiPJbDqnhn5mhpCu4P3YlIFg6xNNXAb
sH+tERWojj4=
=cAi9
-----END PGP SIGNATURE-----





Bug Marked as found in versions dbus/1.2.24-4. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Fri, 10 Jun 2011 23:03:06 GMT) Full text and rfc822 format available.

Bug Marked as found in versions dbus/1.2.1-5+lenny1. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Fri, 10 Jun 2011 23:03:08 GMT) Full text and rfc822 format available.

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Fri, 10 Jun 2011 23:21:07 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Fri, 10 Jun 2011 23:21:07 GMT) Full text and rfc822 format available.

Message #19 received at 629938-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 629938-close@bugs.debian.org
Subject: Bug#629938: fixed in dbus 1.5.4-1
Date: Fri, 10 Jun 2011 23:17:17 +0000
Source: dbus
Source-Version: 1.5.4-1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-dbg_1.5.4-1_amd64.deb
  to main/d/dbus/dbus-1-dbg_1.5.4-1_amd64.deb
dbus-1-doc_1.5.4-1_all.deb
  to main/d/dbus/dbus-1-doc_1.5.4-1_all.deb
dbus-x11_1.5.4-1_amd64.deb
  to main/d/dbus/dbus-x11_1.5.4-1_amd64.deb
dbus_1.5.4-1.debian.tar.gz
  to main/d/dbus/dbus_1.5.4-1.debian.tar.gz
dbus_1.5.4-1.dsc
  to main/d/dbus/dbus_1.5.4-1.dsc
dbus_1.5.4-1_amd64.deb
  to main/d/dbus/dbus_1.5.4-1_amd64.deb
dbus_1.5.4.orig.tar.gz
  to main/d/dbus/dbus_1.5.4.orig.tar.gz
libdbus-1-3_1.5.4-1_amd64.deb
  to main/d/dbus/libdbus-1-3_1.5.4-1_amd64.deb
libdbus-1-dev_1.5.4-1_amd64.deb
  to main/d/dbus/libdbus-1-dev_1.5.4-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 10 Jun 2011 23:35:51 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source amd64 all
Version: 1.5.4-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 629938 629954 630011
Changes: 
 dbus (1.5.4-1) experimental; urgency=low
 .
   * Merge from unstable
   * New(er) upstream version fixing local DoS (Closes: #629938)
   * Revert some of the changes merged from Ubuntu, which look as though
     they shouldn't be needed on either distribution:
     - there's no need to create/chown messagebus' home directory, the sysvinit
       script and the Upstart job both do that on-demand
   * Revert changes which are useful in Ubuntu but not Debian:
     - move everything except the library back into /usr; Debian doesn't have
       any uses for dbus-daemon in early boot, and if we do later, we'd need to
       get libexpat moved first
       - this gets the locations back into sync with what it says in the
         Xsession hook (Closes: #630011) and the init script (Closes: #629954)
   * Improve comments in postinst explaining why it behaves as it does
Checksums-Sha1: 
 1135bd4ae2092e2ccc7af89dd69b14b51586e5a9 2190 dbus_1.5.4-1.dsc
 11bd5828ac56a3e8f125a487b5743f09914ecea6 1888291 dbus_1.5.4.orig.tar.gz
 748849cde750b5abe6a66d9618cab2607e5e29ca 32061 dbus_1.5.4-1.debian.tar.gz
 b173cc16713f8d008b780cd281fcbb1ff9f1dc1e 389992 dbus_1.5.4-1_amd64.deb
 2c7871bb778fc12bc8c7ef10c9e854c331658357 51824 dbus-x11_1.5.4-1_amd64.deb
 4a2ef15e16d586c1feb252988a06c5042294d8d8 162510 libdbus-1-3_1.5.4-1_amd64.deb
 c5e0f01ee5bf616845e7f642640cc27426d7c7f8 1981402 dbus-1-doc_1.5.4-1_all.deb
 ea280566848d8a0fa50b235a5e5d9263bc4a6524 241802 libdbus-1-dev_1.5.4-1_amd64.deb
 1690e80cada8a8dc1ffab219de87e1e99a4eda5a 3604358 dbus-1-dbg_1.5.4-1_amd64.deb
Checksums-Sha256: 
 f62a3445b072c0ac0a3b5f8a56771f69a86543f37df5bbbf92e36bfb91bc5daa 2190 dbus_1.5.4-1.dsc
 f8f452bed6f633a400b773c076d54fc1f5af527fe30acbe080b16ba781df1418 1888291 dbus_1.5.4.orig.tar.gz
 db20142df828a3b63fc22f3086e3df565249519432d41ae4e66abb1ce0df1a7d 32061 dbus_1.5.4-1.debian.tar.gz
 9664e261842246b145f003caa5ae7628c33f7043192953b9923ed9dc5a66a821 389992 dbus_1.5.4-1_amd64.deb
 aeee0498a6e3b4844ee75a7311f9adb3098cc4b50eb9ab5c70d64c2bd3b06930 51824 dbus-x11_1.5.4-1_amd64.deb
 5c0d0b6826fbeb8fec475f7afa1a39f6599153b2766721a54c3094b1535606f7 162510 libdbus-1-3_1.5.4-1_amd64.deb
 decd7668dfc1531a89b23e062c2ecd2a9a16dfa8734c855667c110bbc3fd7717 1981402 dbus-1-doc_1.5.4-1_all.deb
 de7e933c738ea057ac5465885a2a714c5eeb01f05ea1050b9a927877aff9e0d0 241802 libdbus-1-dev_1.5.4-1_amd64.deb
 ead096ab48d20528546d2313af594bbc4fb4ee1fff5cdd99c6800a7e7c7ef1eb 3604358 dbus-1-dbg_1.5.4-1_amd64.deb
Files: 
 58eb617ccf2ba27ab7f091449932e66f 2190 devel optional dbus_1.5.4-1.dsc
 3f815a6e7beed12182d93f1ca1da27f5 1888291 devel optional dbus_1.5.4.orig.tar.gz
 bfb87db740fc82f3032878dad9737b1c 32061 devel optional dbus_1.5.4-1.debian.tar.gz
 913c74e5e1aa30a16003664ea783703b 389992 devel optional dbus_1.5.4-1_amd64.deb
 f557d202a0357c858d6b008abe6162cc 51824 x11 optional dbus-x11_1.5.4-1_amd64.deb
 b956c7ed63b307d0a2fba3e24916b336 162510 libs optional libdbus-1-3_1.5.4-1_amd64.deb
 fc2c1a335e378acb3c255b4e14d0d894 1981402 doc optional dbus-1-doc_1.5.4-1_all.deb
 f5403a5a7c4b553869b5c4cd4a6d162b 241802 libdevel optional libdbus-1-dev_1.5.4-1_amd64.deb
 dc2de7f025e71bff992cd8d19bd570db 3604358 debug extra dbus-1-dbg_1.5.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBTfKiGU3o/ypjx8yQAQiMYhAAmhFXzZJpcW+9wbaIvZTUDEQC4zwdouqz
6ZR6lRRvh7Re8UTP0d/NcAIX2tnK21pKbkU6VUFDPdcmdfZQhHDQb8wjED4r1Pg9
oOyac5jgds4m4Ai/Zo1DtmF0LRlXq+GzGW1K613r5lxN3M91oOkPtcuDXZrjzAH5
eMWELyajnDQvxgV/3WekZIYj20ZA6BX1AgcUAdkw909vcFRyPg1EXyReD438Qkew
RsSwltyAeTAFn8u7WdZ1PXLYuQd7s9HXtkhfzukXyaU3Xo966Qyw5XB7vB5cap5X
TVz1dA/f/YkZhusE++UvBya6ayeDskDTEaPNeaZ+DXviffYWEelJWdyZ3xmGkelk
nsqf2zkfmAuYAe/gBvIYXosr3DeIW08irnPVHjzo3iArq0SmnpEXdEI6NRh2XWxl
jcPhUUkbXsdsk5GVAd0bduFU+R5PWGSsjFc9oaxv8YGNvB8imTiDFbxw3aLBhf2i
GUDYAq7HgyOkenfz25QiOfrdkkYjngnWGzvpyyNUlVGRxWG5sEoPpVSa+VFZIdE1
TY3GGAdohaIj0lmcmBCrjaKHL9FHjPC7eNOWDA7QBhRQV29ibsFa+2Rni3Ltfuv6
IsM+VBIGaZTTfw1dlJeNDRUKGgvEE5KlHPaX3dem3VZD02AmPAI24A1x/1utWWlL
J5n0Dl4mq4s=
=v4HK
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#629938; Package libdbus-1-3. (Sun, 12 Jun 2011 12:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 12 Jun 2011 12:27:07 GMT) Full text and rfc822 format available.

Message #24 received at 629938@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 629938@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#629938: libdbus-1-3: local DoS via messages with non-native byte order
Date: Sun, 12 Jun 2011 13:26:03 +0100
[Message part 1 (text/plain, inline)]
On Thu, 09 Jun 2011 at 19:20:27 +0100, Simon McVittie wrote:
> Tags: security
> Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120
> 
> lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
> into native endianness but does not swap the byte-order mark in messages
> when swapping their byte order. As a result, if a message in non-native byte
> order is sent through dbus-daemon to a system service like Avahi or
> NetworkManager, that system service is likely to interpret the message as
> invalid and disconnect from the system bus, leading to a local DoS.

I've fixed this upstream and in sid and experimental. Still waiting for a
CVE ID - or should I ask for one elsewhere?

Here is a proposed stable update (either for security or stable updates),
and a test-case (marshal.c). The proposed stable update is also available
on the debian-squeeze branch in git.

The test case requires libdbus-1-dev, libdbus-glib-1-dev and libglib2.0-dev,
and can be run with:

    gcc -otest-marshal marshal.c \
        `pkg-config --cflags --libs dbus-1 dbus-glib-1 glib-2.0`
    ./test-marshal

For it to work, it must be run by a user whose home directory (according
to /etc/passwd, not $HOME) can be written.

Successful output looks like this:

    /demarshal/le: OK
    /demarshal/be: OK
    /demarshal/needed/le: OK
    /demarshal/needed/be: OK

Unsuccessful output on a little-endian architecture looks like this:

    /demarshal/le: OK
    /demarshal/be: **
    ERROR:marshal.c:193:test_endian: assertion failed (get_uint32 (output, OFFSET_BODY_LENGTH, output[0]) == 8): (134217728 == 8)
    Aborted

Big-endian architectures should fail /demarshal/le in a similar way.

(You can also unpack /usr/lib/dbus-1.0/test/test-marshal from dbus-1-dbg of
an appropriate architecture in unstable - it's the same test-case, and
should hopefully work with an older libdbus.)

Regards,
    S
[marshal.c (text/x-csrc, attachment)]
[dbus_1.2.24-4+squeeze1.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#629938; Package libdbus-1-3. (Sun, 12 Jun 2011 13:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to oss-security@lists.openwall.com:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 12 Jun 2011 13:03:07 GMT) Full text and rfc822 format available.

Message #29 received at 629938@bugs.debian.org (full text, mbox):

From: Jan Lieskovsky <jlieskov@redhat.com>
To: "Steven M. Christey" <coley@linus.mitre.org>
Cc: oss-security@lists.openwall.com, Simon McVittie <smcv@debian.org>, 629938@bugs.debian.org
Subject: CVE Request -- dbus -- Local DoS via messages with non-native byte order
Date: Sun, 12 Jun 2011 15:01:40 +0200
Hello, Josh, Steve, vendors,

  It was found that D-BUS message bus service / messaging facility did
not update the byte-order flag of the message properly by swapping the
byte order of incoming messages into their native endiannes. A local,
authenticated user could use this flaw to send a specially-crafted
message to a system service (like Avahi or NetworkManager), using the
system bus, potentially leading to disconnect of such a service from
system bus (denial of service).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
[2] https://bugs.freedesktop.org/show_bug.cgi?id=38120
[3] https://bugzilla.redhat.com/show_bug.cgi?id=712676

Upstream patches:
[4] 
http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=6519a1f77c61d753d4c97efd6e15630eb275336e
    (in upstream v1.2.28 version)

[5] 
http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=c3223ba6c401ba81df1305851312a47c485e6cd7
    (in upstream v1.4.12 version)

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#629938; Package libdbus-1-3. (Mon, 13 Jun 2011 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josh Bressers <bressers@redhat.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Mon, 13 Jun 2011 19:27:03 GMT) Full text and rfc822 format available.

Message #34 received at 629938@bugs.debian.org (full text, mbox):

From: Josh Bressers <bressers@redhat.com>
To: oss-security@lists.openwall.com
Cc: Simon McVittie <smcv@debian.org>, 629938@bugs.debian.org, "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: [oss-security] CVE Request -- dbus -- Local DoS via messages with non-native byte order
Date: Mon, 13 Jun 2011 15:25:46 -0400 (EDT)

----- Original Message -----
> Hello, Josh, Steve, vendors,
> 
> It was found that D-BUS message bus service / messaging facility did
> not update the byte-order flag of the message properly by swapping the
> byte order of incoming messages into their native endiannes. A local,
> authenticated user could use this flaw to send a specially-crafted
> message to a system service (like Avahi or NetworkManager), using the
> system bus, potentially leading to disconnect of such a service from
> system bus (denial of service).
> 
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
> [2] https://bugs.freedesktop.org/show_bug.cgi?id=38120
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=712676
> 
> Upstream patches:
> [4]
> http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=6519a1f77c61d753d4c97efd6e15630eb275336e
> (in upstream v1.2.28 version)
> 
> [5]
> http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=c3223ba6c401ba81df1305851312a47c485e6cd7
> (in upstream v1.4.12 version)
> 

Please use CVE-2011-2200.

Thanks.

-- 
    JB




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#629938; Package libdbus-1-3. (Tue, 14 Jun 2011 16:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 14 Jun 2011 16:45:09 GMT) Full text and rfc822 format available.

Message #39 received at 629938@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Simon McVittie <smcv@debian.org>
Cc: 629938@bugs.debian.org, security@debian.org
Subject: Re: Bug#629938: libdbus-1-3: local DoS via messages with non-native byte order
Date: Tue, 14 Jun 2011 18:40:45 +0200
On Sun, Jun 12, 2011 at 01:26:03PM +0100, Simon McVittie wrote:
> Here is a proposed stable update (either for security or stable updates),
> and a test-case (marshal.c). The proposed stable update is also available
> on the debian-squeeze branch in git.

Please proceed with a stable point update.

Thanks,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#629938; Package libdbus-1-3. (Tue, 14 Jun 2011 19:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 14 Jun 2011 19:21:07 GMT) Full text and rfc822 format available.

Message #44 received at 629938@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 629938@bugs.debian.org, security@debian.org
Subject: Re: Bug#629938: libdbus-1-3: local DoS via messages with non-native byte order
Date: Tue, 14 Jun 2011 20:18:02 +0100
On Tue, 14 Jun 2011 at 18:40:45 +0200, Moritz Muehlenhoff wrote:
> Please proceed with a stable point update.

In progress, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630520

Regards,
    S




Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Wed, 15 Jun 2011 07:57:08 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Wed, 15 Jun 2011 07:57:08 GMT) Full text and rfc822 format available.

Message #49 received at 629938-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 629938-close@bugs.debian.org
Subject: Bug#629938: fixed in dbus 1.2.24-4+squeeze1
Date: Wed, 15 Jun 2011 07:55:34 +0000
Source: dbus
Source-Version: 1.2.24-4+squeeze1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
dbus-1-doc_1.2.24-4+squeeze1_all.deb
  to main/d/dbus/dbus-1-doc_1.2.24-4+squeeze1_all.deb
dbus-x11_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/dbus-x11_1.2.24-4+squeeze1_amd64.deb
dbus_1.2.24-4+squeeze1.debian.tar.gz
  to main/d/dbus/dbus_1.2.24-4+squeeze1.debian.tar.gz
dbus_1.2.24-4+squeeze1.dsc
  to main/d/dbus/dbus_1.2.24-4+squeeze1.dsc
dbus_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/dbus_1.2.24-4+squeeze1_amd64.deb
libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
  to main/d/dbus/libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Jun 2011 19:45:00 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source all amd64
Version: 1.2.24-4+squeeze1
Distribution: stable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 629938
Changes: 
 dbus (1.2.24-4+squeeze1) stable; urgency=low
 .
   * Update Vcs-* control fields to reflect the move to git
   * Apply patch to fix CVE-2011-2200 (fd.o #38120), which is a local DoS for
     system services (Closes: #629938)
Checksums-Sha1: 
 1f131b71c842fc8442611d1de55cbe99514e9c7f 2186 dbus_1.2.24-4+squeeze1.dsc
 a9c086190a93f50e02b3d3e65145db3c66ea3795 33628 dbus_1.2.24-4+squeeze1.debian.tar.gz
 b163eb8a3167d3581e24e8fbb6834f914e88d920 1831250 dbus-1-doc_1.2.24-4+squeeze1_all.deb
 0c496269a673c0181cbf3b065d8fe579f3eee006 233202 dbus_1.2.24-4+squeeze1_amd64.deb
 3b2c4c73c0e2fa0528ca3c0a5c7c153f6227bb9c 42870 dbus-x11_1.2.24-4+squeeze1_amd64.deb
 297210703f7c762b82171b5d8ddb1164616c7bfe 145398 libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
 0d125034ed689436814d19850105a9341f320362 244978 libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
 f8fc73f345fba810751c80a6cb5588ed8581d052 761536 dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
Checksums-Sha256: 
 96ab49cbf8c7deddb93de7d06122ab9c52e20087af3f5d21a762fb10ebe16651 2186 dbus_1.2.24-4+squeeze1.dsc
 4115e3e31f8fc3f3267fdd5717a45310ec1fe5fa50f97a3d6b0d9b82222bc55f 33628 dbus_1.2.24-4+squeeze1.debian.tar.gz
 5a832cbeea34d22a0ab7a2eac4b619488ee299f960ced62ed677132d60d38b41 1831250 dbus-1-doc_1.2.24-4+squeeze1_all.deb
 e6caba3a5394b13b38bdb56bdf7e1b949c025a8fadbb53c208dd3545a8e1002a 233202 dbus_1.2.24-4+squeeze1_amd64.deb
 7503cf484bfcb194ddedc98801ee5389c1c1cebee20f25d0fe675ecd6edcd6b3 42870 dbus-x11_1.2.24-4+squeeze1_amd64.deb
 b1629995788dc907ce50ed3bdca4b57cf1ba34aae646c2aaf4ef462d02a4739f 145398 libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
 f969a1075441b80503c019879851ec788b7e1c78e653fdfeb81705e84f6abffa 244978 libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
 6e54b44ec79f72c14e0a689add740abbcbad08b15d609383448de8692714fc0f 761536 dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb
Files: 
 7ddda7dc53301c23197f42ca1bb1fc00 2186 devel optional dbus_1.2.24-4+squeeze1.dsc
 8e6be8290cad77c3212616768eba1ce7 33628 devel optional dbus_1.2.24-4+squeeze1.debian.tar.gz
 cc7114ff5f22691a23c4c6c13bef7755 1831250 doc optional dbus-1-doc_1.2.24-4+squeeze1_all.deb
 98df5f2a39fb990b8a385890bb0b95fb 233202 devel optional dbus_1.2.24-4+squeeze1_amd64.deb
 8b0ed0397524dbf5b5dfe0fa3e99b63a 42870 x11 optional dbus-x11_1.2.24-4+squeeze1_amd64.deb
 aec544f0daf37cbbecee20cfa127c4d6 145398 libs optional libdbus-1-3_1.2.24-4+squeeze1_amd64.deb
 4262818ce80e3b5d3db4b1df755fab30 244978 libdevel optional libdbus-1-dev_1.2.24-4+squeeze1_amd64.deb
 7095a7ff67f5922245675f4276c1b84b 761536 debug extra dbus-1-dbg_1.2.24-4+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBTffJJk3o/ypjx8yQAQjpcxAAh0Ugc3QIYVzknIh0m5zXqBUPTsmNECb7
KOQv8ZcponAcz8F8WehCHNo4bYOurjWmq9GA048PQHU57w/6e85VUV3v/F7LzLKS
szupuECn+MF97wVs40/LJysE/6gmkNnfYvtmDzKacroXQ6RvIJa7x02f7huZ1Wky
Wmq8oGXWdSVM/myPIjrtjQBl1xiUFd/PhBcAa9YxfXlDj6oHxzQc33uHvnJiS0wQ
PJwRSYHkbvQfIAoEs/L6TxrpNH0p1Xy3AvIMOV3QhZa6DbQnf+1v0IxKdhLDy+v5
9ld7sjMCWk+chQ3hoMfnUR22mN/jY9v0rKOZZNOBQytqtqUgynEnOUNk3JADW+yh
7IMxRLTRVpHzz3X2T+1kasuQrxi45P5NSNylStMtgc8y+2N4i7+juUkFMp95bcC2
HEnlr1dw504S1yLhMh2QosN3PHlEqXBGONYgvXmDy+E89iPqLaXVFAwQ3J7nttlE
+pyznxF3e4mL38zX6r3gH5UTywKqUeDwtC5/OoiPBzuWMiLDP/vjcxaHNFlM14KY
dNJNHMEZbQFEdLjevMRJ/BoCTr75mqPs3s27TqYsHPYyQGR3KNfbS0Jn5tQZb+Ta
2Dr18OkavyAut8cpMWqogAcJGA8leJiDclK5id8CwREfXmVCC5uflm8oQ/xIJny2
+GHthnyIEsg=
=GiL2
-----END PGP SIGNATURE-----





Changed Bug title to 'libdbus-1-3: [CVE-2011-2200] local DoS via messages with non-native byte order' from 'libdbus-1-3: local DoS via messages with non-native byte order' Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Wed, 15 Jun 2011 09:18:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 15 Jul 2011 07:36:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:29:01 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.