[CVE-2008-4311] DBus 1.2.6

Please don’t yet update DBus for CVE-2008-4311. It’s known to break PackageKit, cups, ConsoleKit, DeviceKit, DeviceKit-power, gdm, and system-config-services. There’s a partial bugfix that has been pushed so PackageKit tools still run (without the GetTid or SetLocale errors), but as introspection is still broken they’ll be odd little warnings and errors for other stuff.

I do understand how important this update is, but given this wasn’t a root login vulnerability, or anything crazy like that, I’m surprised it didn’t sit in updates-testing for a few days to fix up all the other system daemons. The worst bit is that it’s broken automatic updates for thousands of people.

I’m planning to spend this morning closing duplicate bugzillas. Fun.

14 responses to “[CVE-2008-4311] DBus 1.2.6”

  1. Richard

    Yah, that has caused me a lot of pain to-day :(

  2. Karl Lattimer

    Did anyone in fedora actually test this bug before it was pushed to repos? I mean it is probably the worst update bug I’ve seen yet… mostly as it breaks updates ?!?!

    Also, has anyone tried to pull it from the repo? I updated on sunday around mid day and it broke packagekit, now i’ve got two systems with a broken package kit (among other things) and no sign of a downgrade going… No warnings either until this morning. Not that most people would have gotten that warning.

    Fedora need to issue a newer package that reverses this fix and test the fix properly and they need to do this pdq!

  3. Maxious

    Read this post on Planet Gnome, laughed, realised I too run fedora with the testing repo and I did an update today, cursed self ;)

    Thanks for the workaround!

  4. Adam Williamson

    Why don’t you guys just pull the update?

  5. Lunduke.com » Fedora update breaks… Fedora

    […] Richard Hughes blog: “Please don’t yet update DBus for CVE-2008-4311. It’s known to break PackageKit, cups, […]

  6. Tom

    Wow, it must suck to be you :P

    (Or a Fedora user like me :P )

    Will this fuck-up be fixable with just another update??

  7. anonymous fedora user

    Rather inexcusable patch management from the Fedora project.

    Like people ask above: do you really push patches to non-rawhide without actually testing them?

    Hopefully the aftermath discussion leads to some practical resolution; otherwise another nail in the coffin of Fedora’s so-called “quality assurance”.

  8. fedora10user

    guys .. duh
    this update ducked my fedora 10 Cambridge box :S
    please if you knew any updates let us know …
    thanks ..

  9. al

    Fedora 10 “state-of-the-art” image was considerable scratched with such fact.

  10. Alena

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.



Bad Behavior has blocked 2769 access attempts in the last 7 days.