Security Information / 2015 / Security Information -- DSA-3161-1 dbus

Debian Security Advisory

DSA-3161-1 dbus -- security update

Date Reported:

11 Feb 2015

Affected Packages:

dbus

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 777545.
In Mitre's CVE dictionary: CVE-2015-0245.

More information:

Simon McVittie discovered a local denial of service flaw in dbus, an asynchronous inter-process communication system. On systems with systemd-style service activation, dbus-daemon does not prevent forged ActivationFailure messages from non-root processes. A malicious local user could use this flaw to trick dbus-daemon into thinking that systemd failed to activate a system service, resulting in an error reply back to the requester.

For the stable distribution (wheezy), this problem has been fixed in version 1.6.8-1+deb7u6.

For the unstable distribution (sid), this problem has been fixed in version 1.8.16-1.

We recommend that you upgrade your dbus packages.