USN-653-1: D-Bus vulnerabilities

10-14-2008

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

USN-653-1: D-Bus vulnerabilities

Referenced CVEs:
CVE-2008-0595, CVE-2008-3834

Description:
=========================================================== Ubuntu Security Notice USN-653-1 October 14, 2008 dbus vulnerabilities CVE-2008-0595, CVE-2008-3834 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libdbus-1-2 0.60-6ubuntu8.3 Ubuntu 7.04: libdbus-1-3 1.0.2-1ubuntu4.2 Ubuntu 7.10: libdbus-1-3 1.1.1-3ubuntu4.2 Ubuntu 8.04 LTS: libdbus-1-3 1.1.20-1ubuntu3.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies. If a local user sent a specially crafted D-Bus request, they could bypass security policies that had a "send_interface" defined. (CVE-2008-0595) It was discovered that the D-Bus library did not correctly validate certain corrupted signatures. If a local user sent a specially crafted D-Bus request, they could crash applications linked against the D-Bus library, leading to a denial of service. (CVE-2008-3834)

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

dbus-cleanup-sockets(1) General Commands Manual dbus-cleanup-sockets(1) NAME
dbus-cleanup-sockets - clean up leftover sockets in a directory SYNOPSIS
dbus-cleanup-sockets [DIRECTORY] DESCRIPTION
The dbus-cleanup-sockets command cleans up unused D-Bus connection sockets. See http://www.freedesktop.org/software/dbus/ for more informa- tion about the big picture. If given no arguments, dbus-cleanup-sockets cleans up sockets in the standard default socket directory for the per-user-login-session mes- sage bus; this is usually /tmp. Optionally, you can pass a different directory on the command line. On Linux, this program is essentially useless, because D-Bus defaults to using "abstract sockets" that exist only in memory and don't have a corresponding file in /tmp. On most other flavors of UNIX, it's possible for the socket files to leak when programs using D-Bus exit abnormally or without closing their D-Bus connections. Thus, it might be interesting to run dbus-cleanup-sockets in a cron job to mop up any leaked sockets. Or you can just ignore the leaked sockets, they aren't really hurting anything, other than cluttering the output of "ls /tmp" AUTHOR
dbus-cleanup-sockets was adapted by Havoc Pennington from linc-cleanup-sockets written by Michael Meeks. BUGS
Please send bug reports to the D-Bus mailing list or bug tracker, see http://www.freedesktop.org/software/dbus/ dbus-cleanup-sockets(1)

Security Advisories (RSS)

USN-653-1: D-Bus vulnerabilities

LEARN ABOUT X11R4

dbus-cleanup-sockets