Package: libdbus-1-3
Version: 1.4.8-3
Severity: normal
Tags: security
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120
lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
into native endianness but does not swap the byte-order mark in messages
when swapping their byte order. As a result, if a message in non-native byte
order is sent through dbus-daemon to a system service like Avahi or
NetworkManager, that system service is likely to interpret the message as
invalid and disconnect from the system bus, leading to a local DoS.
This was raised, and promptly forgotten about, in 2007 (!), so it's already
public information. A fix is awaiting review upstream.
Debian Security Team, could you allocate a CVE ID if appropriate, please?
I suspect this is a job for stable-proposed-updates rather than a DSA, though.
Regards,
S
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
