Version in base suite: 1.2.1-5 Version in overlay suite: (not present) Base version: dbus_1.2.1-5 Target version: dbus_1.2.1-5+lenny1 Base file: /org/ftp.debian.org/ftp/pool/main/d/dbus/dbus_1.2.1-5.dsc Target file: /org/ftp.debian.org/queue/p-u-new/dbus_1.2.1-5+lenny1.dsc dbus-1.2.1/debian/changelog | 13 ++++++++ dbus-1.2.1/debian/control | 2 - debian/patches/52-CVE-2009-1189.patch | 55 ++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) diff -u dbus-1.2.1/debian/control dbus-1.2.1/debian/control --- dbus-1.2.1/debian/control +++ dbus-1.2.1/debian/control @@ -100,7 +100,7 @@ Section: doc Architecture: all Depends: ${misc:Depends} -Suggests: dbus-1-dev +Suggests: libdbus-1-dev Conflicts: libdbus0-doc Replaces: libdbus0-doc Description: simple interprocess messaging system (documentation) diff -u dbus-1.2.1/debian/changelog dbus-1.2.1/debian/changelog --- dbus-1.2.1/debian/changelog +++ dbus-1.2.1/debian/changelog @@ -1,3 +1,16 @@ +dbus (1.2.1-5+lenny1) stable-security; urgency=high + + * debian/patches/52-CVE-2009-1189.patch + - Security: The _dbus_validate_signature_with_reason function + (dbus-marshal-validate.c) uses incorrect logic to validate a basic type, + which allows remote attackers to spoof a signature via a crafted key. + NOTE: this is due to an incorrect fix for CVE-2008-3834 + Closes: #532720 + Fixes: CVE-2009-1189 + * Urgency high for the security fix. + + -- Michael Biebl Thu, 18 Jun 2009 06:12:34 +0200 + dbus (1.2.1-5) unstable; urgency=high [ Sjoerd Simons ] only in patch2: unchanged: --- dbus-1.2.1.orig/debian/patches/52-CVE-2009-1189.patch +++ dbus-1.2.1/debian/patches/52-CVE-2009-1189.patch @@ -0,0 +1,55 @@ +From 82c8109a0ab4e4711c902135c2218bc522afcc3d Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Wed, 01 Apr 2009 16:02:00 +0000 +Subject: Bug 17803 - Fix both test case and validation logic + +The previous commit had errors in both the test case and +the validation logic. The test case was missing a trailing +comma before the previous one, so we weren't testing the +signature we thought we were. + +The validation logic was wrong because if the type was not valid, +we'd drop through the entire if clause, and thus skip returning +an error code, and accept the signature. +--- +diff --git a/dbus/dbus-marshal-validate-util.c b/dbus/dbus-marshal-validate-util.c +index 5365d6d..ac901c3 100644 +--- a/dbus/dbus-marshal-validate-util.c ++++ b/dbus/dbus-marshal-validate-util.c +@@ -227,7 +227,7 @@ _dbus_marshal_validate_test (void) + "not a valid signature", + "123", + ".", +- "(" ++ "(", + "a{(ii)i}" /* https://bugs.freedesktop.org/show_bug.cgi?id=17803 */ + }; + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index 35998cb..ee95548 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -246,14 +246,15 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + } + } + +- if (last == DBUS_DICT_ENTRY_BEGIN_CHAR && +- _dbus_type_is_valid (*p) && +- !dbus_type_is_basic (*p)) ++ if (last == DBUS_DICT_ENTRY_BEGIN_CHAR) + { +- result = DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE; +- goto out; ++ if (!(_dbus_type_is_valid (*p) && dbus_type_is_basic (*p))) ++ { ++ result = DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE; ++ goto out; ++ } + } +- ++ + last = *p; + ++p; + } +-- +cgit v0.8.2