Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512940 (CVE-2014-3477) - <sys-apps/dbus-1.8.4: local DoS in dbus-daemon (CVE-2014-3477)
Summary: <sys-apps/dbus-1.8.4: local DoS in dbus-daemon (CVE-2014-3477)
Alias: CVE-2014-3477
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
: 513698 (view as bug list)
Depends on:
Reported: 2014-06-11 08:03 UTC by Agostino Sarubbo
Modified: 2014-12-13 15:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-11 08:03:03 UTC
From ${URL} :

D-Bus <> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.

Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service
flaw in dbus-daemon, part of the reference implementation of D-Bus.
Additionally, in highly unusual environments the same flaw could lead to
a side channel between processes that should not be able to communicate.

On the stable branch, this is fixed in version 1.8.4:

On the previous stable branch, this is fixed in version 1.6.20:

Distributions supporting other versions should base their changes on
this commit:


If a client C1 is prohibited from sending a message to a service S1, and
S1 is not currently running, then C1 can attempt to send a message to
S1's well-known bus name, causing dbus-daemon to start S1 [1]. When S1
has started and obtained its well-known bus name, the dbus-daemon
evaluates its security policy, decides that it will not deliver the
message to S1, and constructs an AccessDenied error. However, instead of
sending that AccessDenied error reply to C1 as a reply to the denied
message, dbus-daemon incorrectly sends it to S1 as a reply to the
request to obtain its well-known bus name.

Impact A: denial of service. S1 will fail to initialize, and exit,
denying service to legitimate clients of S1.

Impact B: side channel. In environments where C1 and S1 are untrusted
and are administratively prohibited from communicating, S1 could also
use these incorrectly-directed error messages as a side channel to
receive information from C1.


Impact A: if a legitimate client was actively using S1, S1 would already
have been started, so C1 can only deny service to a legitimate client
that only recently became active.

Impact B: in practice processes sharing a system bus can typically
communicate in other ways (non-D-Bus IPC mechanisms, files in /tmp,
etc.), so impact B is not relevant on normal systems. It might be
relevant on systems when an LSM such as SELinux is used in a highly
restrictive configuration.


[1] This is perhaps unexpected, but the dbus-daemon is behaving as
designed: it cannot necessarily evaluate which security policies it
should apply to S1 until S1 has actually connected back to dbus-daemon,
because S1 might change its uid, SELinux context, etc. during startup.
The conceptual model is that activatable services are always running,
and that the dbus-daemon delaying their startup until they are actually
needed is a form of lazy evaluation. As such, the D-Bus maintainers do
not consider this to be a bug or vulnerability.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-06-18 16:24:28 UTC
*** Bug 513698 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-18 18:37:21 UTC
Arches, please stabilize: 

Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-18 18:48:16 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-19 20:46:55 UTC
Who is Kristian Fiskerstrand?
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2014-06-19 20:57:07 UTC
(In reply to Jeroen Roovers from comment #4)
> Who is Kristian Fiskerstrand?
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-06-20 00:56:41 UTC
(In reply to Jeroen Roovers from comment #4)
> Who is Kristian Fiskerstrand?

He is also going through the padawan process on the security team now.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-20 13:16:44 UTC
(In reply to Yury German from comment #6)
> (In reply to Jeroen Roovers from comment #4)
> > Who is Kristian Fiskerstrand?
> He is also going through the padawan process on the security team now.

You should update the Project:Security wiki page then.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-20 13:17:09 UTC
Stable for HPPA.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-06-23 15:38:34 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2014-06-24 19:15:20 UTC
arm stable
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2014-07-03 16:43:35 UTC
The stabilization will continue in bug 516080 for 1.8.6
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-07-04 02:46:15 UTC
CVE-2014-3477 (
  The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x
  before 1.8.4, sends an AccessDenied error to the service instead of a client
  when the client is prohibited from accessing the service, which allows local
  users to cause a denial of service (initialization failure and exit) or
  possibly conduct a side-channel attack via a D-Bus message to an inactive
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 15:09:07 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-08-01 03:46:54 UTC
Maintainer(s), Thank you for cleanup!
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 15:14:29 UTC
This issue was resolved and addressed in
 GLSA 201412-12 at
by GLSA coordinator Mikle Kolyada (Zlogene).