From ${URL} : Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=98157 Versions affected: dbus >= 1.4.0 Mitigated in: dbus >= 1.9.10, 1.8.x >= 1.8.16, 1.6.x >= 1.6.30 Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22 Exploitable by: local users Impact: unknown, possibly arbitrary code execution Reporter: Simon McVittie, Collabora Ltd. D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an asynchronous inter-process communication system, commonly used for system services or within a desktop session on Linux and other operating systems. A format string vulnerability in the reference bus implementation, dbus-daemon, could potentially allow local users to cause arbitrary code execution or denial of service. In versions of dbus-daemon that are also vulnerable to CVE-2015-0245, this format string vulnerability is available to all local users. These versions should be patched or updated immediately. In versions of dbus-daemon where CVE-2015-0245 was already fixed, this is not believed to be exploitable in practice, because the relevant message is ignored unless it comes from the owner of the bus name org.freedesktop.systemd1. On the system bus, this bus name is only allowed to be owned by uid 0; it is intended to be owned by systemd, and no mechanism is currently known by which an attacker who does not already have root privileges could induce systemd to send messages that would trigger the format string vulnerability. Patching or updating dbus-daemon is strongly recommended. A minimal patch is attached to this advisory. Please reference fd.o #98157 or <https://bugs.freedesktop.org/show_bug.cgi?id=98157> in any notices that refer to this vulnerability. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit f88bce681f1945fed09ba3bee25f0dd7e7596e63 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Oct 11 07:00:57 2016 sys-apps/dbus: Security bump to versions 1.8.22 and 1.10.12 (bug #596772). Package-Manager: portage-2.3.1 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Arches please test and mark stable =sys-apps/dbus-1.10.12 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris
Stable for HPPA PPC64.
Stable on alpha.
amd64 stable
x86 stable
arm stable
sparc stable
ia64 stable
ppc stable. Maintainer(s), please cleanup.
New GLSA request filed. Cleanup PR: https://github.com/gentoo/gentoo/pull/3396
This issue was resolved and addressed in GLSA 201701-20 at https://security.gentoo.org/glsa/201701-20 by GLSA coordinator Aaron Bauman (b-man).
reopening for cleanup
tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63175c0fd94354726fb5893195ab5d773d6f6f05