CVE-2014-3477

Published: 01 July 2014

The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.

Priority

Medium

Notes

AuthorNote
mdeslaur
we will not be backporting this fix to lucid as the impact is
not important and dbus is unlikely to be used on servers.

References

Bugs