[arch-security] [ASA-201502-10] dbus: denial of service
Levente Polyak
anthraxx at archlinux.org
Tue Feb 10 00:09:46 UTC 2015
Arch Linux Security Advisory ASA-201502-10
==========================================
Severity: Medium
Date : 2015-02-10
CVE-ID : CVE-2015-0245
Package : dbus
Type : denial of service
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package dbus before version 1.8.16-1 is vulnerable to denial of service.
Resolution
==========
Upgrade to 1.8.16-1.
# pacman -Syu "dbus>=1.8.16-1"
The problem has been fixed upstream in version 1.8.16.
Workaround
==========
None.
Description
===========
Systemd sends back an ActivationFailure D-Bus signal if the activation
fails. However, when it receives these signals, dbus-daemon does not
verify that the signal actually came from systemd. A malicious local
user could send repeated ActivationFailure signals in the hope that it
would "win the race" with the genuine signal, causing D-Bus to send back
an error to the client that requested activation.
Impact
======
A local attacker could send repeated ActivationFailure signals, causing
D-Bus to potentially send back an error to the client that requested
activation resulting in denial of service.
References
==========
http://lists.freedesktop.org/archives/dbus/2015-February/016553.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150210/238708a1/attachment.asc>
More information about the arch-security
mailing list