I tried using the D-Bus-using version of GConf under valgrind, with an instrumented version of libdbus which stops trying to be clever about re-using allocated memory [1].

There are several use-after-frees whose backtrace can be simplified to:

==5141== Invalid read of size 1
==5141==    at 0x4836718: strlen (mc_replace_strmem.c:282)
==5141==    by 0x60E7DFB: g_strdup (gstrfuncs.c:101)
==5141==    by 0x600E213: ensure_database (gconf-dbus.c:370)
[... some stuff ...]
==5141==  Address 0x771bd7d is 5 bytes inside a block of size 40 free'd
==5141==    at 0x4834540: free (vg_replace_malloc.c:366)
==5141==    by 0x4BDF633: _dbus_string_free (dbus-string.c:270)
==5141==    by 0x4BAD367: dbus_message_finalize (dbus-message.c:1138)
==5141==    by 0x600E1E3: ensure_database (gconf-dbus.c:557)
[... the same stuff ...]

These are GConf's fault. They exist but aren't visible to valgrind with the
normal libdbus, because libdbus normally recycles messages from a free-list,
without giving them back to the system malloc machinery.

Here is the offending code:

  dbus_message_get_args (reply,
                         NULL,
                         DBUS_TYPE_STRING, &db,
                         DBUS_TYPE_INVALID);

  dbus_message_unref (reply);

  if (db == NULL)
    {
      /* ... handle error ... */
    }

  gconf_engine_set_database (conf, db);

If the last quoted line is reached, @db points into @reply - which has potentially already been freed.

[1] https://bugs.freedesktop.org/show_bug.cgi?id=37286