[arch-security] [Arch Linux Security Advisory ASA-201411-28] dbus: denial of service
Levente Polyak
anthraxx at archlinux.org
Sun Nov 23 23:46:29 UTC 2014
Arch Linux Security Advisory ASA-201411-28
==========================================
Severity: Medium
Date : 2014-11-23
CVE-ID : CVE-2014-7824
Package : dbus
Type : denial of service
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package dbus before version 1.8.10-1 is vulnerable to denial of
service via file descriptor exhaustion.
Resolution
==========
Upgrade to 1.8.10-1.
# pacman -Syu "dbus>=1.8.10-1"
The problem has been fixed upstream in version 1.8.10.
Workaround
==========
None.
Description
===========
The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on
incorrect reasoning and does not fully prevent the attack described in
the impact section below. Preventing that attack requires raising the
system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value.
Impact
======
A local attacker is able to queue up the maximum allowed number of file
descriptors to reach the system dbus-daemon's RLIMIT_NOFILE resulting in
a denial of service in two ways:
- new clients would be unable to connect to the dbus-daemon
- when receiving a subsequent message from a non-malicious client that
contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
indicating that the list of fds was truncated; kernel fd-passing APIs
do not provide any way to recover from that, so dbus-daemon responds
to MSG_CTRUNC by disconnecting the sender, causing denial of service
to that sender
References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7824
http://www.openwall.com/lists/oss-security/2014/11/10/2
https://bugs.freedesktop.org/show_bug.cgi?id=85105
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141124/09a8c02e/attachment.bin>
More information about the arch-security
mailing list