Page 2 of 9 results (0.004 seconds)

CVSS: 3.6EPSS: 0%CPEs: 49EXPL: 2

CVE-2009-1189 – dbus: invalid fix for CVE-2008-3834

https://notcve.org/view.php?id=CVE-2009-1189

The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. La función _dbus_validate_signature_with_reason (dbus-marshal-validate.c) en D-Bus (también conocido como DBus) en versiones anteriores a 1.2.14 utiliza lógica incorrecta para validar un tipo básico, lo que permite a atacantes remotos suplantar una firma a través de una clave manipulada. NOTA: esto es debido a una solución incorrecta para CVE-2008-3834. • http://bugs.freedesktop.org/show_bug.cgi?id=17803 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://lists.vmware.com/pipermail/security-announce/2010/000082.html http://secunia.com/advisories/32127 http://secunia.com/advisories/35810 http://secunia.com/advisories/38794 http://www.freedesktop.org/wiki/Software/dbus#head-dad0dab297a44f1d7a3b1259cfc06b583fd6a88a http://www.openwall.com/lists/oss-security/2009/04/16/13 http://www.securityfocus.com/bid/31602 http://www • CWE-20: Improper Input Validation •

CVSS: 4.6EPSS: 0%CPEs: 46EXPL: 0

CVE-2008-4311

https://notcve.org/view.php?id=CVE-2008-4311

The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply. La configuración por defecto de system.conf en D-Bus (alias DBus) y versiones anteriores a 1.2.6 omite el atributo send_type en ciertas reglas, el cual permite a los usuarios locales evitar las restricciones de acceso (1) enviando mensajes, en relación a send_requested_reply; y posiblemente (2) recibiendo mensajes, relativos a receive_requested_reply. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532 http://forums.fedoraforum.org/showthread.php?t=206797 http://lists.freedesktop.org/archives/dbus/2008-December/010702.html http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html http://secunia.com/advisories/ • CWE-16: Configuration •

CVSS: 2.1EPSS: 1%CPEs: 44EXPL: 1

CVE-2008-3834 – D-Bus Daemon < 1.2.4 - 'libdbus' Denial of Service

https://notcve.org/view.php?id=CVE-2008-3834

The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. La función dbus_signature_validat en la librería D-bus (libdbus), versiones anteriores a 1.2.4, permite a los atacantes remotos causar una denegación de servicios (aplicación suspendida) a través de un mensaje que contiene una firma mal formada, el cual lanza un error assertion. • https://www.exploit-db.com/exploits/7822 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html http://secunia.com/advisories/32127 http://secunia.com/advisories/32230 http://secunia.com/advisories/32281 http://secunia.com/advisories/32385 http://secunia.com/advisories/33396 http://www.debian.org/security/2008/dsa-1658 http://ww • CWE-20: Improper Input Validation •

CVSS: 4.6EPSS: 0%CPEs: 11EXPL: 0

CVE-2008-0595 – dbus security policy circumvention

https://notcve.org/view.php?id=CVE-2008-0595

dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. dbus-daemon en D-Bus anterior a 1.0.3 y 1.1.x anterior a 1.1.20, reconoce atributos de send_interface en directivas de permiso en la política de seguridad sólo para llamadas a métodos completamente cualificados, esto permite a usuarios locales evitar las restricciones de acceso pretendidas mediante llamadas a métodos con una interfaz NULL. • http://lists.freedesktop.org/archives/dbus/2008-February/009401.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html http://secunia.com/advisories/29148 http://secunia.com/advisories/29160 http://secunia.com/advisories/29171 http://secunia.com/advisories/29173 http://secunia.com/advisories/29281 http://secunia.com/advisories/29323 http://secunia.com/advisories/30869 http://secunia.com/advisorie • CWE-863: Incorrect Authorization •