Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#41058 - [dbus] DOS in DBUS < 1.8.6

Attached to Project: Arch Linux
Opened by Mark E. Lee (bluerider) - Wednesday, 02 July 2014, 16:30 GMT
Last edited by Dave Reisner (falconindy) - Monday, 07 July 2014, 12:59 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jan de Groot (JGC)
Tom Gundersen (tomegun)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
A vulnerability was found in dbus < 1.8.6 that can result in a denial of service.

See : [fd.o#79694] https://bugs.freedesktop.org/show_bug.cgi?id=79694
[fd.o#80469] https://bugs.freedesktop.org/show_bug.cgi?id=80469
[fd.o#80163] https://bugs.freedesktop.org/show_bug.cgi?id=80163

Since 1.8.6 is not stable yet, it was recommended to backport git commits: 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e
9ca90648fc870c24d852ce6d7ce9387a9fc9a94a
This task depends upon

Closed by  Dave Reisner (falconindy)
Monday, 07 July 2014, 12:59 GMT
Reason for closing:  Fixed
Additional comments about closing:  testing/dbus 1.8.6
Comment by Dave Reisner (falconindy) - Wednesday, 02 July 2014, 16:56 GMT
> Since 1.8.6 is not stable yet,
1.8.6 was released today. I'm not sure what you mean by "not stable yet" since only odd number releases (1.5.x, 1.7.x, 1.9.x, etc) are "unstable" releases.
Comment by Mark E. Lee (bluerider) - Wednesday, 02 July 2014, 19:29 GMT
I just saw on the dbus website it's been updated. I could've sworn it said 1.8.6 was still unreleased. But, no matter upgrade to 1.8.6 should fix the issue for Arch users.
Comment by Mark E. Lee (bluerider) - Wednesday, 02 July 2014, 19:30 GMT
I just checked the git logs, the documentation indicating 1.8.6 was released was just updated 2 hours ago.
Comment by Mark E. Lee (bluerider) - Wednesday, 02 July 2014, 19:31 GMT
Oh wait, I mean 2 days ago; that's very strange that I didn't catch it and that the dbus on Arch Linux wasn't flagged out of date then.
Comment by Carlo (arcieredorato) - Sunday, 06 July 2014, 17:12 GMT
I've read that it has been fixed. Can we can close this bug ?

https://bugs.freedesktop.org/show_bug.cgi?id=79694
Comment by Mark E. Lee (bluerider) - Sunday, 06 July 2014, 17:55 GMT
@Carlo, it hasn't. Arch still hasn't updated their dbus to 1.8.6.
Comment by Mark E. Lee (bluerider) - Monday, 07 July 2014, 04:16 GMT
What's the hold up on dbus 1.8.6; it's not even in testing. I just compiled 1.8.6 (haven't tested it yet).
   dbus-1.8.6-1-x86_64.pkg.tar.xz (399.1 KiB)
Comment by Mark E. Lee (bluerider) - Monday, 07 July 2014, 04:17 GMT
Forgot to attach the library
   libdbus-1.8.6-1-x86_64.pkg.ta... (133.3 KiB)
Comment by Carlo (arcieredorato) - Monday, 07 July 2014, 06:12 GMT
I wait that the mainteiner of dbus can do the update soon directly by pacman. I hope that he can listen us and fix it soon.

Loading...