Summary: | <sys-apps/dbus-1.8.6: two local DoS vulnerabilities in dbus-daemon (CVE-2014-{3532,3533}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | freedesktop-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q3/4 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-07-02 16:13:53 UTC
Please, test and stabilize: =sys-apps/dbus-1.8.6 amd64 stable Stable for HPPA. x86 stable alpha stable ppc stable ppc64 stable ia64 stable arm stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. CVE-2014-3533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3533): dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. CVE-2014-3532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3532): dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded. Maintainer(s), Thank you for cleanup! This issue was resolved and addressed in GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml by GLSA coordinator Mikle Kolyada (Zlogene). |