Arch Linux Security Advisory ASA-201502-10 ========================================== Severity: Medium Date : 2015-02-10 CVE-ID : CVE-2015-0245 Package : dbus Type : denial of service Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package dbus before version 1.8.16-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.8.16-1. # pacman -Syu "dbus>=1.8.16-1" The problem has been fixed upstream in version 1.8.16. Workaround ========== None. Description =========== Systemd sends back an ActivationFailure D-Bus signal if the activation fails. However, when it receives these signals, dbus-daemon does not verify that the signal actually came from systemd. A malicious local user could send repeated ActivationFailure signals in the hope that it would "win the race" with the genuine signal, causing D-Bus to send back an error to the client that requested activation. Impact ====== A local attacker could send repeated ActivationFailure signals, causing D-Bus to potentially send back an error to the client that requested activation resulting in denial of service. References ========== http://lists.freedesktop.org/archives/dbus/2015-February/016553.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245