Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-34969

Published: 8 June 2023

D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.

Notes

AuthorNote
mdeslaur
This is only an issue if a privileged user is currently using a
debugging tool, and only causes a DoS, so setting priority to
low.
1.8.x and older are not affected.
eslerm
addressed in b159849e ("bus: Assign a serial number for messages from the driver")
eslerm
MR 408 contains fix, reproducer, and errata

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
dbus
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

jammy Needed

kinetic Ignored
(end of life, was needed)
lunar Ignored
(end of life, was needed)
mantic Needed

trusty Not vulnerable
(code not present)
upstream
Released (1.12.28,1.14.8,1.15.6)
xenial
Released (1.10.6-1ubuntu3.6+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
upstream: https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/408

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H