Bug 974109 (CVE-2013-2168)

Summary: CVE-2013-2168 dbus: Crash of system services that use libdbus (DoS) due to non-portable use of va_list in UNIX format string wrapper
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lpoetter, rhughes, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dbus-1.4.26, dbus-1.6.12, dbus-1.7.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-19 09:12:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 974128    
Bug Blocks:    

Description Jan Lieskovsky 2013-06-13 12:45:13 UTC 
A denial of service flaw was found in the way UNIX system D-BUS format string wrapper implementation of D-BUS, a system for sending messages between applications, used to measure the length of the provided format string and its arguments in certain circumstances. A remote attacker could supply a specially-crafted input to an application / service, utilizing the services / functionality of the libdbus library that, when processed would lead to that application / service crash.

References:
[1] http://www.openwall.com/lists/oss-security/2013/06/13/2

Relevant upstream patch:
[2] http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7
Comment 1 Jan Lieskovsky 2013-06-13 12:53:13 UTC 
Original upstream report for the issue that led to introduction of this problem:
[3] https://bugs.freedesktop.org/show_bug.cgi?id=11668

Upstream patch that introduced the issue (dbus-1.4.16 and dbus-1.5.8):
[4] http://cgit.freedesktop.org/dbus/dbus/commit/?id=7fc9c026669976463adcd1e02ad19c582ed27289
Comment 2 Jan Lieskovsky 2013-06-13 12:54:54 UTC 
This issue did NOT affect the versions of the dbus package, as shipped with Red Hat Enterprise Linux 5 and 6 (as they did not introduce the upstream change [4] yet).

--

This issue did NOT affect the version of the dbus package, as shipped with Fedora release of 17 (as it did not introduce the upstream change [4] yet).

--

This issue affects the version of the dbus package, as shipped with Fedora release of 18. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-06-13 13:28:40 UTC 
Created dbus tracking bugs for this issue

Affects: fedora-18 [bug 974128]
Comment 4 Jan Lieskovsky 2013-06-13 13:30:54 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of dbus as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the upstream commit 7fc9c026669976463adcd1e02ad19c582ed27289 that introduced this issue.
Comment 6 Colin Walters 2013-06-18 15:37:02 UTC 
https://admin.fedoraproject.org/updates/dbus-1.6.12-1.fc19
Comment 8 Fedora Update System 2013-06-29 18:22:34 UTC 
dbus-1.6.12-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.