CVE-2014-3477
Published: 1 July 2014
The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.
Notes
Author | Note |
---|---|
mdeslaur |
we will not be backporting this fix to lucid as the impact is not important and dbus is unlikely to be used on servers. |
Priority
Status
Package | Release | Status |
---|---|---|
dbus
Launchpad, Ubuntu, Debian |
lucid |
Ignored
|
precise |
Released
(1.4.18-1ubuntu1.5)
|
|
saucy |
Released
(1.6.12-0ubuntu10.1)
|
|
trusty |
Released
(1.6.18-0ubuntu4.1)
|
|
upstream |
Released
(1.8.4-1,1.6.20)
|
|
Patches:
upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=cab1c56bb9d70469128d2ae1c40539c0d3b30f13 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=4815aba0d3695afe871e9002ba474ce36c5299b4 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=72a8759c224ec37b75a7631c7d90ce266a4bf3bd |