+The "smashy smashy egg man" release.
+• Do not accept an extra fd in the padding of a cmsg message, which
+ could lead to a 4-byte heap buffer overrun.
+ (CVE-2014-3635, fd.o #83622; Simon McVittie)
+• Reduce default for maximum Unix file descriptors passed per message
+ from 1024 to 16, preventing a uid with the default maximum number of
+ connections from exhausting the system bus' file descriptors under
+ Linux's default rlimit. Distributors or system administrators with a
+ more restrictive fd limit may wish to reduce these limits further.
+ Additionally, on Linux this prevents a second denial of service
+ in which the dbus-daemon can be made to exceed the maximum number
+ of fds per sendmsg() and disconnect the process that would have
+ received them.
+ (CVE-2014-3636, fd.o #82820; Alban Crequy)
+• Disconnect connections that still have a fd pending unmarshalling after
+ a new configurable limit, pending_fd_timeout (defaulting to 150 seconds),
+ removing the possibility of creating an abusive connection that cannot be
+ disconnected by setting up a circular reference to a connection's
+ file descriptor.
+ (CVE-2014-3637, fd.o #80559; Alban Crequy)
+• Reduce default for maximum pending replies per connection from 8192 to 128,
+ mitigating an algorithmic complexity denial-of-service attack
+ (CVE-2014-3638, fd.o #81053; Alban Crequy)
+• Reduce default for authentication timeout on the system bus from
+ 30 seconds to 5 seconds, avoiding denial of service by using up
+ all unauthenticated connection slots; and when all unauthenticated
+ connection slots are used up, make new connection attempts block
+ instead of disconnecting them.
+ (CVE-2014-3639, fd.o #80919; Alban Crequy)
Please test and stabilize:
=sys-apps/dbus-1.8.8 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not
properly close old connections, which allows local users to cause a denial
of service (incomplete connection consumption and prevention of new
connections) via a large number of incomplete connections.
The bus_connections_check_reply function in config-parser.c in D-Bus before
1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of
service (CPU consumption) via a large number of method calls.
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not
properly close connections for processes that have terminated, which allows
local users to cause a denial of service via a D-bus message containing a
D-Bus connection file descriptor.
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before
1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is
set to an odd number, allows remote attackers to cause a denial of service
(dbus-daemon crash) or possibly execute arbitrary code by sending one more
file descriptor than the limit, which triggers a heap-based buffer overflow
or an assertion failure.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Added to existing glsa draft.
This issue was resolved and addressed in
GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml
by GLSA coordinator Mikle Kolyada (Zlogene).