Summary: | <sys-apps/dbus-1.8.4: local DoS in dbus-daemon (CVE-2014-3477) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | freedesktop-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/06/10/2 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-06-11 08:03:03 UTC
*** Bug 513698 has been marked as a duplicate of this bug. *** Arches, please stabilize: =sys-apps/dbus-1.8.4 Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable Who is Kristian Fiskerstrand? (In reply to Jeroen Roovers from comment #4) > Who is Kristian Fiskerstrand? https://bugs.gentoo.org/show_bug.cgi?id=K_F (In reply to Jeroen Roovers from comment #4) > Who is Kristian Fiskerstrand? He is also going through the padawan process on the security team now. (In reply to Yury German from comment #6) > (In reply to Jeroen Roovers from comment #4) > > Who is Kristian Fiskerstrand? > > He is also going through the padawan process on the security team now. You should update the Project:Security wiki page then. Stable for HPPA. x86 stable arm stable The stabilization will continue in bug 516080 for 1.8.6 CVE-2014-3477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3477): The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. Maintainer(s), Thank you for cleanup! This issue was resolved and addressed in GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml by GLSA coordinator Mikle Kolyada (Zlogene). |