Advisories » MGASA-2022-0365

Updated dbus packages fix security vulnerability

Publication date: 08 Oct 2022
Modification date: 08 Oct 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-42010 , CVE-2022-42011 , CVE-2022-42012

Description

A syntactically invalid type signature with incorrectly nested parentheses
and curly brackets would cause an assertion failure in debug builds.
Similar messages could potentially result in a crash or incorrect message
processing in a production build, although we are not aware of a practical
example. (CVE-2022-42010)

An invalid array of fixed-length elements where the length of the array is
not a multiple of the length of the element would cause an assertion
failure in debug builds or an out-of-bounds read in production builds.
(CVE-2022-42011)

A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption in production
builds, or an assertion failure in debug builds. (CVE-2022-42012)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=30941
• https://www.openwall.com/lists/oss-security/2022/10/06/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42010
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42011
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42012

SRPMS

8/core

• dbus-1.13.18-3.1.mga8