CVE-2015-0245
Published: 13 February 2015
D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.
Notes
Author | Note |
---|---|
seth-arnold | The policy change is recommended for stable use, though the code-based changes were made for platforms where uid==0 may not be omnipotent -- we should probably use both in our packages, or at least both for the versions with distro-patched AppArmor support. |
Priority
Status
Package | Release | Status |
---|---|---|
dbus Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
|
precise |
Released
(1.4.18-1ubuntu1.8)
|
|
trusty |
Released
(1.6.18-0ubuntu4.4)
|
|
upstream |
Released
(1.8.16-1)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Not vulnerable
(1.10.0-1ubuntu1)
|
|
xenial |
Not vulnerable
(1.10.6-1ubuntu3)
|
|
yakkety |
Not vulnerable
(1.10.6-1ubuntu3)
|
|
zesty |
Not vulnerable
(1.10.6-1ubuntu3)
|
|
Patches: upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?id=6dbd09fedc396c53b25ea73c6c8a278beca349c7 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?id=aaea59916398d1c590490edb0471a01bcf20e6d7 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?id=03c5e161752fe1ff4925955800ca9c78d09a6e0c upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=6dbd09fedc396c53b25ea73c6c8a278beca349c7 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=f9697e04f1c9871cb54a99f087e97e4bb9e41e06 |