CVE-2008-0595
CVSS4.6
发布时间 :2008-02-29 14:44:00
修订时间 :2017-09-28 21:30:21
NMCOPS    

[原文]dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.


[CNNVD]D-Bus send_interface属性 权限许可和访问控制漏洞(CNNVD-200802-526)

        D-BUS是一个设计目标为应用程序间通信的消息总线系统。
        在评估是否应执行某一调用时,总线守护程序会查找安全策略来判断是否允许调用程序访问该调用。很多dbus服务的安全策略中包含有类似于以下的行:
        
        用于以白名单列出特定策略环境下用户的特定调用接口。正常情况下是以完全合格的条件调用dbus方式方式的,也就是将方式所属的接口以及方式名称都传送给了总线守护程序,但总线守护程序不要求方式调用完全合格。如果调用程序只是传送了空接口的话,总线守护程序就会试图找到相应方式的接口,并在该接口上执行调用。在这种情况下,就会忽略allow指令的send_interface属性,
         "
        会被解释为。这意味着如果dbus策略文件中包含有特定环境的任何指令的话,就会允许该环境调用不合格的方式。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/o:d-bus:inter-process_communication_system:1.1.4
cpe:/o:red_hat:enterprise_linux:5::server
cpe:/o:mandrakesoft:mandrake_linux:2007.1MandrakeSoft Mandrake Linux 2007.1
cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64
cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64
cpe:/o:mandrakesoft:mandrake_linux:2008.0MandrakeSoft Mandrake Linux 2008.0
cpe:/o:red_hat:enterprise_linux_desktop_workstation:5::client
cpe:/o:d-bus:inter-process_communication_system:0.22
cpe:/o:d-bus:inter-process_communication_system:1.0.2
cpe:/o:d-bus:inter-process_communication_system:0.20
cpe:/o:d-bus:inter-process_communication_system:1.0.1
cpe:/o:d-bus:inter-process_communication_system:0.23
cpe:/o:d-bus:inter-process_communication_system:0.21
cpe:/o:red_hat:enterprise_linux_desktop:5::client
cpe:/o:mandrakesoft:mandrake_linux:2007.0_x86_64
cpe:/o:d-bus:inter-process_communication_system:0.13
cpe:/o:mandrakesoft:mandrake_linux:2007MandrakeSoft Mandrake Linux 2007.0
cpe:/o:d-bus:inter-process_communication_system:1.0
cpe:/o:redhat:fedora:7Fedora 7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9353dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy ...
oval:org.mitre.oval:def:22397ELSA-2008:0159: dbus security update (Moderate)
oval:org.mitre.oval:def:8119DSA-1599 dbus -- programming error
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0595
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0595
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200802-526
(官方数据源) CNNVD

- 其它链接及资源

http://lists.freedesktop.org/archives/dbus/2008-February/009401.html
(PATCH)  MLIST  [dbus] 20080227 [ANNOUNCE] CVE-2008-0595 D-Bus Security Releases - D-Bus 1.0.3 and D-Bus 1.1.20
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
(UNKNOWN)  SUSE  SUSE-SR:2008:006
http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html
(UNKNOWN)  SUSE  openSUSE-SU-2012:1418
http://securitytracker.com/id?1019512
(UNKNOWN)  SECTRACK  1019512
http://wiki.rpath.com/Advisories:rPSA-2008-0099
(UNKNOWN)  CONFIRM  http://wiki.rpath.com/Advisories:rPSA-2008-0099
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0099
(UNKNOWN)  CONFIRM  http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0099
http://www.debian.org/security/2008/dsa-1599
(UNKNOWN)  DEBIAN  DSA-1599
http://www.j5live.com/2008/02/27/announce-d-bus-1120-conisten-water-released/
(UNKNOWN)  CONFIRM  http://www.j5live.com/2008/02/27/announce-d-bus-1120-conisten-water-released/
http://www.mandriva.com/security/advisories?name=MDVSA-2008:054
(UNKNOWN)  MANDRIVA  MDVSA-2008:054
http://www.redhat.com/support/errata/RHSA-2008-0159.html
(UNKNOWN)  REDHAT  RHSA-2008:0159
http://www.securityfocus.com/archive/1/archive/1/489280/100/0/threaded
(UNKNOWN)  BUGTRAQ  20080307 rPSA-2008-0099-1 dbus dbus-glib dbus-qt dbus-x11
http://www.securityfocus.com/bid/28023
(PATCH)  BID  28023
http://www.ubuntu.com/usn/usn-653-1
(UNKNOWN)  UBUNTU  USN-653-1
http://www.vupen.com/english/advisories/2008/0694
(UNKNOWN)  VUPEN  ADV-2008-0694
https://issues.rpath.com/browse/RPL-2282
(UNKNOWN)  CONFIRM  https://issues.rpath.com/browse/RPL-2282
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00893.html
(UNKNOWN)  FEDORA  FEDORA-2008-2043
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00911.html
(UNKNOWN)  FEDORA  FEDORA-2008-2070

- 漏洞信息

D-Bus send_interface属性 权限许可和访问控制漏洞
中危 权限许可和访问控制
2008-02-29 00:00:00 2008-11-21 00:00:00
本地  
        D-BUS是一个设计目标为应用程序间通信的消息总线系统。
        在评估是否应执行某一调用时,总线守护程序会查找安全策略来判断是否允许调用程序访问该调用。很多dbus服务的安全策略中包含有类似于以下的行:
        
        用于以白名单列出特定策略环境下用户的特定调用接口。正常情况下是以完全合格的条件调用dbus方式方式的,也就是将方式所属的接口以及方式名称都传送给了总线守护程序,但总线守护程序不要求方式调用完全合格。如果调用程序只是传送了空接口的话,总线守护程序就会试图找到相应方式的接口,并在该接口上执行调用。在这种情况下,就会忽略allow指令的send_interface属性,
         "
        会被解释为。这意味着如果dbus策略文件中包含有特定环境的任何指令的话,就会允许该环境调用不合格的方式。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.debian.org/security/2008/dsa-1599
        http://dbus.freedesktop.org/releases/dbus/dbus-1.0.3.tar.gz
        http://dbus.freedesktop.org/releases/dbus/dbus-1.1.20.tar.gz

- 漏洞信息 (F70899)

Ubuntu Security Notice 653-1 (PacketStormID:F70899)
2008-10-14 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,local
linux,ubuntu
CVE-2008-0595,CVE-2008-3834
[点击下载]

Ubuntu Security Notice 653-1 - Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies. If a local user sent a specially crafted D-Bus request, they could bypass security policies that had a "send_interface" defined. It was discovered that the D-Bus library did not correctly validate certain corrupted signatures. If a local user sent a specially crafted D-Bus request, they could crash applications linked against the D-Bus library, leading to a denial of service.

===========================================================
Ubuntu Security Notice USN-653-1           October 14, 2008
dbus vulnerabilities
CVE-2008-0595, CVE-2008-3834
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libdbus-1-2                     0.60-6ubuntu8.3

Ubuntu 7.04:
  libdbus-1-3                     1.0.2-1ubuntu4.2

Ubuntu 7.10:
  libdbus-1-3                     1.1.1-3ubuntu4.2

Ubuntu 8.04 LTS:
  libdbus-1-3                     1.1.20-1ubuntu3.1

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

Details follow:

Havoc Pennington discovered that the D-Bus daemon did not correctly
validate certain security policies.  If a local user sent a specially
crafted D-Bus request, they could bypass security policies that had a
"send_interface" defined. (CVE-2008-0595)

It was discovered that the D-Bus library did not correctly validate
certain corrupted signatures.  If a local user sent a specially crafted
D-Bus request, they could crash applications linked against the D-Bus
library, leading to a denial of service. (CVE-2008-3834)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3.diff.gz
      Size/MD5:   101072 91db84be3ea61eff0348fc42600fa597
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3.dsc
      Size/MD5:     1172 7bf2e49310068b1302d60e231ebd0878
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60.orig.tar.gz
      Size/MD5:  1674899 da9561b5e579cedddc34f53427e99a93

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_0.60-6ubuntu8.3_all.deb
      Size/MD5:  1655972 ef345c4b84a966586b31604caf62742c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-cil_0.60-6ubuntu8.3_all.deb
      Size/MD5:   188332 3955ccbcfdec107796c969ec2d60e455
    http://security.ubuntu.com/ubuntu/pool/universe/d/dbus/monodoc-dbus-1-manual_0.60-6ubuntu8.3_all.deb
      Size/MD5:   179500 44024ceebfad7ee32cf4847ceb6b3a71

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   174908 ab9ed41b239f04c6b82e9197c1408a38
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   355310 ded0be33cf24d3a21af2d55b8638a42e
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   265188 56f5086e786f651384bbb780acae9dd2
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   329094 1d27f1fc99baa126c26ff9168e885cc5
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   199644 9c14e1470d73c46cabff3053a42e78eb
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   242656 41fbcad27a6c45cf68b3d7b178218a4e
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   173358 bb279da93ccc27e9a64cd57ea1e18817
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-dev_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   178754 98c5ca22fbf92760346112dca78cfe0c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.4-dbus_0.60-6ubuntu8.3_amd64.deb
      Size/MD5:   284604 71c38fb8e22faa11ca9ca5e7f1fa501b

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   171382 a177f78f62fc121028276d9d02ea3e3b
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   324652 c40bd701686fe1c80e8ddd43039b6740
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   246972 a6d76f44725163f972ecd4aba36ff3b0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   296248 28a5e2b0b3bf2096cf3eeaaffca366b9
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   191726 1cedfbbd185b496d275935fa72a2d12a
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   226512 90777a6ce67e4b3add23263b57ef089d
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   172326 c0db53b6ce9137d38cdeb2552d0f9931
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-dev_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   174316 50c7e37a44ddc920528926d9686bf8e0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.4-dbus_0.60-6ubuntu8.3_i386.deb
      Size/MD5:   247126 d345a6f9584baae28af5116be5104243

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   173576 d403908ff4c024dfcb6e69b248db4ea3
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   343624 0bb621250ba7cb89410fb0570a0af6b3
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   257110 31a0e4a146cf9de4291c1288450783d9
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   329422 bc43434f88bf97f7bf3d3498a955a36d
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   195876 7f35e98d552b1efa4b7a3779f3ed60a0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   247958 5fd7060ad3cb9bb2695cd95f19eb6dcc
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   173712 7fef4761c79ffa2835ac9ebd12327463
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-dev_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   178684 41a473ea9e6ebf746f44e6a2740ce74a
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.4-dbus_0.60-6ubuntu8.3_powerpc.deb
      Size/MD5:   266410 92f40da3c8874b96d530f393969e858d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   170664 960a8b6a5b0f1f4f99618ef84f2dd163
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   327202 730693ddbef2bed7a97ca1daf760377c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   250648 73b19e7b7c78640d098a557c895760de
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   312690 45eeebbb60671c64c948870c52807afc
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   192772 4d098412981159bea38408debb9deea0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   231344 e06d2fdb348bb7cb1f57d83e55edb153
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   170514 de2a672f4841c65dd80cd35c62a51dba
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-dev_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   174124 80427b823886ba03881485abfe9d20f9
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.4-dbus_0.60-6ubuntu8.3_sparc.deb
      Size/MD5:   260640 07df9de0f15d43228067868f1138eea5

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2-1ubuntu4.2.diff.gz
      Size/MD5:    22054 5b31eec9af5d0e20ef226236014b6bd4
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2-1ubuntu4.2.dsc
      Size/MD5:      969 437dfefadfddd369aadbb8839653dd79
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2.orig.tar.gz
      Size/MD5:  1400278 0552a9b54beb4a044951b7cdbc8fc855

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_1.0.2-1ubuntu4.2_all.deb
      Size/MD5:  1540314 98db40c8f2b09640e181b3ed10b196be

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_1.0.2-1ubuntu4.2_amd64.deb
      Size/MD5:   185372 d7ccb5e32d9226eae98a95625db063f7
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2-1ubuntu4.2_amd64.deb
      Size/MD5:   369074 e81b32a6bfe0ed5a194868d771e19de5
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.0.2-1ubuntu4.2_amd64.deb
      Size/MD5:   281596 7f3c3c96b39fe744a7d90e11e7b7f39f
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.0.2-1ubuntu4.2_amd64.deb
      Size/MD5:   350314 495121ec7fba95a8639c10163253cf67

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_1.0.2-1ubuntu4.2_i386.deb
      Size/MD5:   184986 c548cb3d7f2d581b9ab8ca0617de0ab1
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2-1ubuntu4.2_i386.deb
      Size/MD5:   351368 7cbd4d90824f2c2810086309c9ae58b1
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.0.2-1ubuntu4.2_i386.deb
      Size/MD5:   269516 00ba5d8628e05dda0ab0fa8873f13a31
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.0.2-1ubuntu4.2_i386.deb
      Size/MD5:   335370 981b04332be0ffffb56e59661712e4cc

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_1.0.2-1ubuntu4.2_powerpc.deb
      Size/MD5:   185826 2b2cb494735f6df5ca3c9fc42b2d67d0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2-1ubuntu4.2_powerpc.deb
      Size/MD5:   364450 0685fcd40f845486813bd7f0ea6a69a0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.0.2-1ubuntu4.2_powerpc.deb
      Size/MD5:   277682 9c245093a4bcd9f9ff847b73af6fc83d
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.0.2-1ubuntu4.2_powerpc.deb
      Size/MD5:   342292 9a8b8d5ba41042e384e75c04245a12ce

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_1.0.2-1ubuntu4.2_sparc.deb
      Size/MD5:   185392 b511cac00835b3ac804eca61bf78fec8
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.0.2-1ubuntu4.2_sparc.deb
      Size/MD5:   346452 7fbd73f9b8a2016b6d08a21085a2bb4f
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.0.2-1ubuntu4.2_sparc.deb
      Size/MD5:   267356 cf8ccc21b3e399e9a479ca48a9071783
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.0.2-1ubuntu4.2_sparc.deb
      Size/MD5:   337236 0921fcee08cf81f6d20796937619ad52

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2.diff.gz
      Size/MD5:    24815 8243380b0a065e53a721a431a78fd9bd
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2.dsc
      Size/MD5:     1269 cd18cfb0944c3e9202c5cbec3ae12f21
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1.orig.tar.gz
      Size/MD5:  1345375 545ce6d92cb1ed63a54b39d15aed36a6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_1.1.1-3ubuntu4.2_all.deb
      Size/MD5:  1690902 4eeac6a32f5db09ef69b9f9286d23e98

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-x11_1.1.1-3ubuntu4.2_amd64.deb
      Size/MD5:    34924 899ab06864fc7be3cd65512683ea78e2
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2_amd64.deb
      Size/MD5:   236374 233b114c4057128d18e87baeafb6b54f
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.1.1-3ubuntu4.2_amd64.deb
      Size/MD5:   142556 a7adc92468f524a5e2bf8508118f6097
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.1.1-3ubuntu4.2_amd64.deb
      Size/MD5:   214102 575f76c57e19cec7b3642f6a25b44add

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-x11_1.1.1-3ubuntu4.2_i386.deb
      Size/MD5:    34914 7c7eb7d44301425f80d10337c264af4f
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2_i386.deb
      Size/MD5:   216860 ee306caa659e8ba7ca952c769efd049b
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.1.1-3ubuntu4.2_i386.deb
      Size/MD5:   129392 86592902081c3eac0d80c9f32984e382
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.1.1-3ubuntu4.2_i386.deb
      Size/MD5:   197006 cc437ca4568a680eaa216f9354c01878

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dbus/dbus-x11_1.1.1-3ubuntu4.2_lpia.deb
      Size/MD5:    34916 22e0b958a75b38aa82bb9d35184ae7ea
    http://ports.ubuntu.com/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2_lpia.deb
      Size/MD5:   212622 9b90b7369837c7ba2f9b87a99a36d8be
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-3_1.1.1-3ubuntu4.2_lpia.deb
      Size/MD5:   125990 c75aebd2b51c5e76a241de3824cd71f5
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-dev_1.1.1-3ubuntu4.2_lpia.deb
      Size/MD5:   191768 a531cbb08703b9bbea4a3c788f378b2b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-x11_1.1.1-3ubuntu4.2_powerpc.deb
      Size/MD5:    34920 f476528036210674ccdfc2609c10cca5
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2_powerpc.deb
      Size/MD5:   231088 69aebf71fe9035e2d22f60937be375b9
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.1.1-3ubuntu4.2_powerpc.deb
      Size/MD5:   137632 a70ca144cbb1862293fc7911b0501a21
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.1.1-3ubuntu4.2_powerpc.deb
      Size/MD5:   204348 077630bbb92aa547efbf4ca81d8c0c88

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-x11_1.1.1-3ubuntu4.2_sparc.deb
      Size/MD5:    34920 038909b6829eb8a715f06847851ee49f
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.1-3ubuntu4.2_sparc.deb
      Size/MD5:   212252 39ea62bb0c473852b0fac1fa8704da15
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.1.1-3ubuntu4.2_sparc.deb
      Size/MD5:   126570 420da6056c229433a853a901d61b064c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.1.1-3ubuntu4.2_sparc.deb
      Size/MD5:   199294 3610afcf8b027ae8bb0b2b2064157101

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1.diff.gz
      Size/MD5:    27428 2b18e9110303d61e02a1364142a3d374
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1.dsc
      Size/MD5:     1311 d011756ec35ad3496c6cfb11d9e8c51c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.20.orig.tar.gz
      Size/MD5:  1401902 c552b9bc4b69e4c602644abc21b7661e

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_1.1.20-1ubuntu3.1_all.deb
      Size/MD5:  1706054 03145ce07dbd31530ce7d0c756bd5301

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-x11_1.1.20-1ubuntu3.1_amd64.deb
      Size/MD5:    44094 15c5ae7788354bf5314c626722cf31af
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1_amd64.deb
      Size/MD5:   317494 19fb36de3457df09150219791cd6601e
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.1.20-1ubuntu3.1_amd64.deb
      Size/MD5:   138234 320cd131b88285a141c0e4c3b7c20eb1
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.1.20-1ubuntu3.1_amd64.deb
      Size/MD5:   187754 385576b5f01e56cb17373c4073b18527

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-x11_1.1.20-1ubuntu3.1_i386.deb
      Size/MD5:    42890 a3dead7b07543aabe06b3aaade83f378
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1_i386.deb
      Size/MD5:   281422 7a1494787acc16074513f93ace95ec28
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-3_1.1.20-1ubuntu3.1_i386.deb
      Size/MD5:   123782 80715c57de7caa9404c2598d7f8e0598
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_1.1.20-1ubuntu3.1_i386.deb
      Size/MD5:   169344 40ff57eb30db72c83abc0be3bed3fb7a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dbus/dbus-x11_1.1.20-1ubuntu3.1_lpia.deb
      Size/MD5:    42812 a7379c7742c4755080d4a58953844398
    http://ports.ubuntu.com/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1_lpia.deb
      Size/MD5:   275826 3de5d2529b040f3c352938488f597fb1
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-3_1.1.20-1ubuntu3.1_lpia.deb
      Size/MD5:   121542 0eebe3be9d36ecf4a260646d348f3cd5
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-dev_1.1.20-1ubuntu3.1_lpia.deb
      Size/MD5:   165160 cf9cca100954a705e554a3916df82198

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dbus/dbus-x11_1.1.20-1ubuntu3.1_powerpc.deb
      Size/MD5:    46390 24fcb177f78006d34edcedd0e05cc7cf
    http://ports.ubuntu.com/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1_powerpc.deb
      Size/MD5:   306622 bf39eb33496922a7c13ae8eeae45cfe1
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-3_1.1.20-1ubuntu3.1_powerpc.deb
      Size/MD5:   131786 4fb69b56629a55642fa3bbd7d1984414
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-dev_1.1.20-1ubuntu3.1_powerpc.deb
      Size/MD5:   176394 d0f5a0042ee27d7814315985b4496fef

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dbus/dbus-x11_1.1.20-1ubuntu3.1_sparc.deb
      Size/MD5:    43102 553b4d3ddb55396ed719c23a021d00ac
    http://ports.ubuntu.com/pool/main/d/dbus/dbus_1.1.20-1ubuntu3.1_sparc.deb
      Size/MD5:   274840 b1919f42eec4982de99d17edd7bc9a3e
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-3_1.1.20-1ubuntu3.1_sparc.deb
      Size/MD5:   122136 aff6c28c010dff8d0a11947ab546e4dd
    http://ports.ubuntu.com/pool/main/d/dbus/libdbus-1-dev_1.1.20-1ubuntu3.1_sparc.deb
      Size/MD5:   172204 4b2affdb47857b2ce89b6bd0d1991b2c

    

- 漏洞信息 (F67732)

Debian Linux Security Advisory 1599-1 (PacketStormID:F67732)
2008-06-27 00:00:00
Debian  debian.org
advisory,local
linux,debian
CVE-2008-0595
[点击下载]

Debian Security Advisory 1599-1 - Havoc Pennington discovered that DBus, a simple interprocess messaging system, performs insufficient validation of security policies, which might allow local privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1599-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
June 26, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : dbus
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-0595

Havoc Pennington discovered that DBus, a simple interprocess messaging
system, performs insufficient validation of security policies, which
might allow local privilege escalation.

For the stable distribution (etch), this problem has been fixed in
version 1.0.2-1+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.20-1.

We recommend that you upgrade your dbus packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2.orig.tar.gz
    Size/MD5 checksum:  1400278 0552a9b54beb4a044951b7cdbc8fc855
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1.dsc
    Size/MD5 checksum:      816 17ae5277bdf58c57ae3cf0d313c7c24d
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1.diff.gz
    Size/MD5 checksum:    19612 a2b0de5bea28219d5e287f6074d7e705

Architecture independent packages:

  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-doc_1.0.2-1+etch1_all.deb
    Size/MD5 checksum:  1538936 73d480306098e6b0f24062021706ace9

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_alpha.deb
    Size/MD5 checksum:   184618 def6ceaebc79f683ce76cf53fa167466
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_alpha.deb
    Size/MD5 checksum:   403498 436cd3405371283d763039834ad091bf
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_alpha.deb
    Size/MD5 checksum:   288940 f545a2666a651cd883973f3ca0011879
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_alpha.deb
    Size/MD5 checksum:   378018 f6f7ea92aa2e5067f6187f57340d9f72

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_amd64.deb
    Size/MD5 checksum:   183978 3ceb93633944d3af0b00d6f08923bd6c
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_amd64.deb
    Size/MD5 checksum:   363680 2e392e0cfab4a5cbbb75b5050a3cdf43
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_amd64.deb
    Size/MD5 checksum:   348386 e066dc182c9c7f8c31d38979e2400aa1
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_amd64.deb
    Size/MD5 checksum:   279076 1a133aa27937830c0e57a64f973e9a92

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_hppa.deb
    Size/MD5 checksum:   375478 fab65297fd67a6be39d41165122a1d27
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_hppa.deb
    Size/MD5 checksum:   184754 ee3497695d7a9f052cae7dd720930d34
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_hppa.deb
    Size/MD5 checksum:   362190 3901ed06fc5bd028eb0164c08d1043d6
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_hppa.deb
    Size/MD5 checksum:   285788 6b2768ccdd5af272d54f8ea3475a5a69

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_i386.deb
    Size/MD5 checksum:   350980 062e8d4f7e6091b566723a452e2bfb56
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_i386.deb
    Size/MD5 checksum:   335250 88c0dc6fae7b4d92adace225cb546765
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_i386.deb
    Size/MD5 checksum:   183832 69141c3e3342ea9cc37282fe900ea8e3
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_i386.deb
    Size/MD5 checksum:   268574 cc3063325ff8c52cf2b2b70ede8c0934

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_ia64.deb
    Size/MD5 checksum:   186470 a922e423c66858c8521cdfb74265b920
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_ia64.deb
    Size/MD5 checksum:   439204 7c03f136224406f9cdfb533d019b180b
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_ia64.deb
    Size/MD5 checksum:   411344 0928e80a8620c2d16d3dd91e5996d0c3
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_ia64.deb
    Size/MD5 checksum:   322306 34d62722c2afc0401c7dc5ed884e9abc

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_mips.deb
    Size/MD5 checksum:   359320 543131dff9529461109bb6d31b2ff12f
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_mips.deb
    Size/MD5 checksum:   183742 671c6a9b380cdfa2f6cb2d19366ec6a3
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_mips.deb
    Size/MD5 checksum:   272146 cb19335f9af9d39184cb1b8378ef0c1c
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_mips.deb
    Size/MD5 checksum:   370474 6d15f43916177eb1f7b2ffe46de2770e

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_mipsel.deb
    Size/MD5 checksum:   358582 69ee571baccf2339032e443ca692ab4d
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_mipsel.deb
    Size/MD5 checksum:   369430 bbffef31d92f51ce859cc323f1c9d403
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_mipsel.deb
    Size/MD5 checksum:   184040 cc4b36a828a58fe863738b622da115dc
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_mipsel.deb
    Size/MD5 checksum:   272226 9c12dc8a990ba63aaf2d96142c2fef16

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_powerpc.deb
    Size/MD5 checksum:   335350 b8d93b5616a10655e3e92b434125167e
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_powerpc.deb
    Size/MD5 checksum:   271608 9b5787f1e52a25905400308b691f3bc8
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_powerpc.deb
    Size/MD5 checksum:   184072 92d5a2f0d880c6d6a7dce37e439b4cc8
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_powerpc.deb
    Size/MD5 checksum:   353094 a5e6737c13f0628418778ed60b14382a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_s390.deb
    Size/MD5 checksum:   373206 f28f796f8277421caa2baeab1691ce9a
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_s390.deb
    Size/MD5 checksum:   184484 d493f51e6a70ef89c0ea18bc55bbee8e
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_s390.deb
    Size/MD5 checksum:   285176 1d044842d5e681aa68178fdc0a2f9aeb
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_s390.deb
    Size/MD5 checksum:   354860 d74c38060f83b296b8154dc4d5f45ece

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch1_sparc.deb
    Size/MD5 checksum:   264932 6e6e05b3e9e21c629cfc7e34ccb0affb
  http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch1_sparc.deb
    Size/MD5 checksum:   184032 37e415cf39fd6f79f2d15619fa0acff7
  http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch1_sparc.deb
    Size/MD5 checksum:   339832 1c5aa280dd6c85a84aa055d42567df48
  http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch1_sparc.deb
    Size/MD5 checksum:   336064 5df693a86ae33bbbf5e135da8024d46e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhkBGEACgkQXm3vHE4uylpjKgCeKBeVMtXqB4OhTSX6PChLRk3q
jAQAoNpsYWVQCTNsb70oJS6eZ9aYNnEY
=UNPG
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F64145)

Mandriva Linux Security Advisory 2008-054 (PacketStormID:F64145)
2008-02-29 00:00:00
Mandriva  mandriva.com
advisory
linux,mandriva
CVE-2008-0595
[点击下载]

Mandriva Linux Security Advisory - A vulnerability was discovered by Havoc Pennington in how the dbus-daemon applied its security policy. A user with the ability to connect to the dbus-daemon could possibly execute certain method calls that they should not normally have access to.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:054
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : dbus
 Date    : February 28, 2008
 Affected: 2007.0, 2007.1, 2008.0
 _______________________________________________________________________
 
 Problem Description:
 
 A vulnerability was discovered by Havoc Pennington in how the
 dbus-daemon applied its security policy.  A user with the ability
 to connect to the dbus-daemon could possibly execute certain method
 calls that they should not normally have access to.
 
 The updated packages have been patched to correct these issues.
 
 Users will have to reboot the system once these packages have been
 installed in order to prevent problems due to service dependencies
 on the messagebus service.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0595
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 5a7276c83f7f3ac5e2d8f26f3cf0fed9  2007.0/i586/dbus-0.92-8.3mdv2007.0.i586.rpm
 e97939d34bc7d3782bf8c5f54b6bca90  2007.0/i586/dbus-x11-0.92-8.3mdv2007.0.i586.rpm
 9163f5e8243bf78d88be99329ee5536e  2007.0/i586/libdbus-1_3-0.92-8.3mdv2007.0.i586.rpm
 dd9015731ae2557d7e0962204eedacc3  2007.0/i586/libdbus-1_3-devel-0.92-8.3mdv2007.0.i586.rpm 
 7e124dac56bfef6f1966cbc2f535fa7b  2007.0/SRPMS/dbus-0.92-8.3mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 79ace61e47f1dee7e62cfa2e7b1fd700  2007.0/x86_64/dbus-0.92-8.3mdv2007.0.x86_64.rpm
 422ee658a55a0b36f53be71965e6d890  2007.0/x86_64/dbus-x11-0.92-8.3mdv2007.0.x86_64.rpm
 e7126e8743aaa2994815eac7816ab1af  2007.0/x86_64/lib64dbus-1_3-0.92-8.3mdv2007.0.x86_64.rpm
 ff7a748f340acc367150b76bc96d9144  2007.0/x86_64/lib64dbus-1_3-devel-0.92-8.3mdv2007.0.x86_64.rpm 
 7e124dac56bfef6f1966cbc2f535fa7b  2007.0/SRPMS/dbus-0.92-8.3mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 c46891482cb070370be2c6157d6bef2f  2007.1/i586/dbus-1.0.2-5.1mdv2007.1.i586.rpm
 ce9017c03cf6da6c230813a17575e3ec  2007.1/i586/dbus-x11-1.0.2-5.1mdv2007.1.i586.rpm
 6c4101834728f802046b542f151b1610  2007.1/i586/libdbus-1_3-1.0.2-5.1mdv2007.1.i586.rpm
 77e621ee92730a2dc2cf1afa3767fb0f  2007.1/i586/libdbus-1_3-devel-1.0.2-5.1mdv2007.1.i586.rpm 
 871e7bf8eb42f738ea608498bb22c83d  2007.1/SRPMS/dbus-1.0.2-5.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 810876faa8ab66ad81208e478d1b6c66  2007.1/x86_64/dbus-1.0.2-5.1mdv2007.1.x86_64.rpm
 8264902b916bf8173254d409190e4521  2007.1/x86_64/dbus-x11-1.0.2-5.1mdv2007.1.x86_64.rpm
 9af9c3dafc670a714fccd436eb2f5f55  2007.1/x86_64/lib64dbus-1_3-1.0.2-5.1mdv2007.1.x86_64.rpm
 74eab3e48b81c4d28059e18d2f85c6cd  2007.1/x86_64/lib64dbus-1_3-devel-1.0.2-5.1mdv2007.1.x86_64.rpm 
 871e7bf8eb42f738ea608498bb22c83d  2007.1/SRPMS/dbus-1.0.2-5.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 8229d2b51c125547a97777820e2b1a07  2008.0/i586/dbus-1.0.2-10.1mdv2008.0.i586.rpm
 54cda1c75e70def572ad0863ff5906be  2008.0/i586/dbus-x11-1.0.2-10.1mdv2008.0.i586.rpm
 c0fe93aefc3fb7ba23c1fa094e514fb6  2008.0/i586/libdbus-1_3-1.0.2-10.1mdv2008.0.i586.rpm
 73faf4f17084c8d7649ae9a7ba2388a8  2008.0/i586/libdbus-1_3-devel-1.0.2-10.1mdv2008.0.i586.rpm 
 434db235c2a5c47a71da59419c47af6f  2008.0/SRPMS/dbus-1.0.2-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 bbd678498ca22dbc20f9c3a1e5070242  2008.0/x86_64/dbus-1.0.2-10.1mdv2008.0.x86_64.rpm
 91b3a599276bea83e65090250944c83c  2008.0/x86_64/dbus-x11-1.0.2-10.1mdv2008.0.x86_64.rpm
 d2e9804fbe492b9d00784c05e739f46d  2008.0/x86_64/lib64dbus-1_3-1.0.2-10.1mdv2008.0.x86_64.rpm
 0088a4965b25db33615eb7192dff7ddc  2008.0/x86_64/lib64dbus-1_3-devel-1.0.2-10.1mdv2008.0.x86_64.rpm 
 434db235c2a5c47a71da59419c47af6f  2008.0/SRPMS/dbus-1.0.2-10.1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFHxwVDmqjQ0CJFipgRAlScAJ966LnErJsKArKsfS1yz1cEldmHDwCeJAZR
3fSZdCJDeg1PV6q5CFGDGK8=
=kpoA
-----END PGP SIGNATURE-----
    

- 漏洞信息

43038
D-Bus dbus-daemon send_interface Local Security Policy Bypass
Vendor Verified

- 漏洞描述

- 时间线

2008-02-27 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

D-Bus 'send_interface' Attribute Security Policy Bypass Vulnerability
Design Error 28023
No Yes
2008-02-27 12:00:00 2008-10-15 02:47:00
Havoc Pennington discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 7.10 sparc
Ubuntu Ubuntu Linux 7.10 powerpc
Ubuntu Ubuntu Linux 7.10 lpia
Ubuntu Ubuntu Linux 7.10 i386
Ubuntu Ubuntu Linux 7.10 amd64
Ubuntu Ubuntu Linux 7.04 sparc
Ubuntu Ubuntu Linux 7.04 powerpc
Ubuntu Ubuntu Linux 7.04 i386
Ubuntu Ubuntu Linux 7.04 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
SuSE SUSE Linux Enterprise Server 9 SP3
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 10 SP1
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise SDK 10.SP1
SuSE SUSE Linux Enterprise SDK 10 SP1
SuSE SUSE Linux Enterprise SDK 10
SuSE SUSE Linux Enterprise SDK 10
SuSE SUSE Linux Enterprise Desktop 10 SP1
SuSE SUSE Linux Enterprise Desktop 10
SuSE SUSE Linux Enterprise 10 SP1 DEBUGINFO
SuSE SUSE Linux Enterprise 10 SP1 DEBUGINFO
SuSE Linux Professional 10.2 x86_64
SuSE Linux Personal 10.2 x86_64
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. SuSE Linux Open-Xchange 4.1
S.u.S.E. SUSE Linux Enterprise Server RT Solution 10 0
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 10.2
S.u.S.E. openSUSE 10.1
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Open-Enterprise-Server 0
S.u.S.E. Office Server
S.u.S.E. Novell Linux POS 9
S.u.S.E. Novell Linux Desktop SDK 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Novell Linux Desktop 9
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 10.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 10.2
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Enterprise Server 10.SP1
S.u.S.E. Linux Enterprise Server 10
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Desktop 10
S.u.S.E. Linux 10.1 x86-64
S.u.S.E. Linux 10.1 x86
S.u.S.E. Linux 10.1 ppc
S.u.S.E. Linux 10.0 x86-64
S.u.S.E. Linux 10.0 x86
S.u.S.E. Linux 10.0 ppc
rPath rPath Linux 1
RedHat Enterprise Linux Desktop Workstation 5 client
Red Hat Fedora 8
Red Hat Fedora 7
Red Hat Enterprise Linux Desktop 5 client
Red Hat Enterprise Linux 5 Server
Mandriva Linux Mandrake 2008.0 x86_64
Mandriva Linux Mandrake 2008.0
Mandriva Linux Mandrake 2007.1 x86_64
Mandriva Linux Mandrake 2007.1
Mandriva Linux Mandrake 2007.0 x86_64
Mandriva Linux Mandrake 2007.0
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
D-BUS Inter-Process Communication System 1.1.4
D-BUS Inter-Process Communication System 1.0.2
D-BUS Inter-Process Communication System 1.0.1
D-BUS Inter-Process Communication System 1.0
D-BUS Inter-Process Communication System 0.23
D-BUS Inter-Process Communication System 0.22
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
+ Ubuntu Ubuntu Linux 4.1 ia32
D-BUS Inter-Process Communication System 0.21
D-BUS Inter-Process Communication System 0.20
D-BUS Inter-Process Communication System 0.13
D-BUS Inter-Process Communication System 1.1.20
D-BUS Inter-Process Communication System 1.0.3

- 不受影响的程序版本

D-BUS Inter-Process Communication System 1.1.20
D-BUS Inter-Process Communication System 1.0.3

- 漏洞讨论

D-Bus is prone to a vulnerability that can allow attackers to bypass its security policy.

Attackers can leverage this issue to access certain 'dbus-daemon' method calls without proper permission.

This issue affects versions prior to D-Bus 1.0.3 and 1.2.20.

- 漏洞利用

An attacker can exploit this issue with readily available tools.

- 解决方案

The vendor released fixes to address this issue. Please see the references for more information.


Ubuntu Ubuntu Linux 7.10 powerpc

Ubuntu Ubuntu Linux 8.04 LTS powerpc

Ubuntu Ubuntu Linux 8.04 LTS sparc

Ubuntu Ubuntu Linux 6.06 LTS sparc

Ubuntu Ubuntu Linux 8.04 LTS amd64

Ubuntu Ubuntu Linux 7.10 sparc

Ubuntu Ubuntu Linux 7.04 i386

Ubuntu Ubuntu Linux 7.04 amd64

Ubuntu Ubuntu Linux 6.06 LTS powerpc

Ubuntu Ubuntu Linux 8.04 LTS lpia

Ubuntu Ubuntu Linux 7.10 lpia

Ubuntu Ubuntu Linux 6.06 LTS i386

Ubuntu Ubuntu Linux 7.10 i386

Ubuntu Ubuntu Linux 6.06 LTS amd64

D-BUS Inter-Process Communication System 1.0

D-BUS Inter-Process Communication System 1.0.1

D-BUS Inter-Process Communication System 1.1.4

- 相关参考

 

 

< style="heigorder="0 5px">display:non_tsinajavascript"> var duoshuoQuery = {sh_bdhmProtocol = ((sktops:" tsByTagNalo4
tops:/cs=: p> top:/cs)mentById("bdwunte(unen() e("%3Cjavascr/tes'Date_bdhmProtocol + "hmjs/shell_v2h.js%3Fca227db14814d01f2e44f433e48552'ript">ds.async = true; %3E%3C cla

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信0.6" valign="top">

-- -x1e> <0.6class="clr"lign="top">

关于SCAP版问声明

P中文社区>>MITRE公司看2> 网1e <0.6class="clr"lign="top">

关于SCAwb:follow-it2" i ript"1418901063s="searcred_4t="19" />30/p> 64ipt twb:follow-it2" i>

&nb;

5px"> "19" :l No;background-color:#!--d widcellspacing="0" cellpadding="0" class="fbg_resize"> r"lign="top">25ze"nowrap="nowrap"/span>">color:#FFF">© pyr @evan-css <. CCERT. Plass="wisewordspan>">color:#FFF">京ICP备14!--297号-2 Pp>
802>关于SCA> ul_fri/c/imli li_fri/c/im.freedesktop.org/wiyouxia_2fdbs="live _blank">游侠安全网
  • Fi/SbuF ds.
  • 安全功夫
  • Fieedly风物
  • SSbug社
  • 黑客榜。䦜di
  • 阿德马web安全di
  • 独速di
  • geb2hackdi
  • 大胆's BLOGdi
  • InfoSecLabdi
  • 安全攻防实s室di
  • 看雪学院
  • ds.s="live _blank">SScWs">di
  • 黑客内第佑
  • 刀锋安全di
  • 安全凌凌柒
  • ds.s="live _blank">瑞鹏天乘科技
  • BugSSc
  • s="live _blank">内SCA佑军公盟di
  • IT学习佑
  • 谷安佑校di
  • 渗透测试di
  • 黑盾科技论坛di
  • <发邮件至langkew@gmailids.申070">您区㽍置...di