From ${URL}: Impact: denial of service (force system services to exit) Access required: local Versions affected by CVE-2014-3532: dbus >= 1.3.0 on Linux >= 2.6.37-rc4 Versions affected by CVE-2014-3533: dbus >= 1.3.0 on all Unix platforms Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system bus by sending them a message containing a file descriptor, then causing that file descriptor to exceed the kernel's maximum recursion depth (itself introduced to fix a DoS) before dbus-daemon forwards the message to the victim process. Most services and applications exit when disconnected from the system bus, leading to a denial of service. This is tracked as fd.o#80163 and CVE-2014-3532. Additionally, Alban discovered that bug fd.o#79694, a bug previously reported by Alejandro Martínez Suárez which was not believed to be a security flaw, could be used for a similar denial of service, by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process when file descriptors become associated with the wrong message. Its security implications are tracked as fd.o#80469 and CVE-2014-3533. For the 1.8.x stable branch, these vulnerabilities are fixed in version 1.8.6. For the 1.6.x old-stable branch, these vulnerabilities are fixed in version 1.6.22. All earlier versions of dbus with the file descriptor passing feature (1.3.0 and up) are believed to be vulnerable. Distributions that backport security fixes should backport git commits 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e and 9ca90648fc870c24d852ce6d7ce9387a9fc9a94a, attached. References: [fd.o#79694] https://bugs.freedesktop.org/show_bug.cgi?id=79694 [fd.o#80469] https://bugs.freedesktop.org/show_bug.cgi?id=80469 [fd.o#80163] https://bugs.freedesktop.org/show_bug.cgi?id=80163 Regards, S
Please, test and stabilize: =sys-apps/dbus-1.8.6
amd64 stable
Stable for HPPA.
x86 stable
alpha stable
ppc stable
ppc64 stable
ia64 stable
arm stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
CVE-2014-3533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3533): dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. CVE-2014-3532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3532): dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.
Maintainer(s), Thank you for cleanup!
This issue was resolved and addressed in GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml by GLSA coordinator Mikle Kolyada (Zlogene).