From ${URL} : CVE: CVE-2014-7824 Tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=85105 Impact: local denial of service Access required: local Versions believed to be vulnerable: dbus >= 1.3.0 Fixed in: dbus 1.6.x >= 1.6.26, 1.8.x >= 1.8.10, all versions >= 1.9.2 Credit: discovered by Simon McVittie at Collabora Ltd. D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an asynchronous inter-process communication system, commonly used for system services or within a desktop session on Linux and other operating systems. The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as "CVE-2014-3636 part A", which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. CVE-2014-7824 has been allocated for this vulnerability. To avoid propagating that higher limit to activatable system services, it is desirable to start the system dbus-daemon as root so it can store its previous limit, raise its limit, drop root privileges (which its default configuration will do automatically), and restore the previous limit before launching activatable services. Some operating system distributions, such as anything using the upstream-supplied systemd units, start the system dbus-daemon as root already; others, such as Debian 7, currently start the system dbus-daemon under its less privileged uid and will need minor modifications to their init scripts. This is fixed in dbus 1.6.26, 1.8.10 and 1.9.2, released today. The patch used in 1.8.x and 1.9.x is attached; it applies to 1.6.x with trivial adjustments. Older versions are no longer security-supported by the D-Bus maintainers, but any distributions needing those versions are invited to share backported security fixes in the appropriate upstream branches (dbus-1.4, etc.). Attack details (repeating CVE-2014-3636 part A): By queuing up the maximum allowed number of fds, a malicious sender could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically 1024 on Linux). This would act as a denial of service in two ways: * new clients would be unable to connect to the dbus-daemon * when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSG_CTRUNC by disconnecting the sender, causing denial of service to that sender @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
1.8.10 in tree with http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=4e466446d27f1a3991c22307a47a81c9e93e530d as only change over 1.8.8, looks like the commit we want for this bug please test and stabilize: =sys-apps/dbus-1.8.10
Stable for HPPA.
amd64 stable
x86 stable
arm stable
Stable on alpha.
ia64 stable
ppc64 stable
sparc stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Added to existing glsa draft.
This issue was resolved and addressed in GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml by GLSA coordinator Mikle Kolyada (Zlogene).
CVE-2014-7824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7824): D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
