CVE-2014-3636
Published: 17 September 2014
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.
Notes
| Author | Note |
|---|---|
| mdeslaur | commit in 1.6 seems to have wrong header only affects >= 1.3.0 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
dbus Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
(1.2.16-2ubuntu4.7)
|
| precise |
Released
(1.4.18-1ubuntu1.6)
|
|
| trusty |
Released
(1.6.18-0ubuntu4.2)
|
|
| upstream |
Released
(1.6.24,1.8.8)
|
|
|
Patches: upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?id=6465e37c8ff70a714e302d0c9e6534fa6181fce6 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=346da99f7620e6901e7c7babd4590fcc5aac32bf |
||