Arch Linux Security Advisory ASA-201411-28 ========================================== Severity: Medium Date : 2014-11-23 CVE-ID : CVE-2014-7824 Package : dbus Type : denial of service Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package dbus before version 1.8.10-1 is vulnerable to denial of service via file descriptor exhaustion. Resolution ========== Upgrade to 1.8.10-1. # pacman -Syu "dbus>=1.8.10-1" The problem has been fixed upstream in version 1.8.10. Workaround ========== None. Description =========== The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning and does not fully prevent the attack described in the impact section below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. Impact ====== A local attacker is able to queue up the maximum allowed number of file descriptors to reach the system dbus-daemon's RLIMIT_NOFILE resulting in a denial of service in two ways: - new clients would be unable to connect to the dbus-daemon - when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSG_CTRUNC by disconnecting the sender, causing denial of service to that sender References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7824 http://www.openwall.com/lists/oss-security/2014/11/10/2 https://bugs.freedesktop.org/show_bug.cgi?id=85105