CVE-2014-3477
Published: 1 July 2014
The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.
Notes
| Author | Note |
|---|---|
| mdeslaur | we will not be backporting this fix to lucid as the impact is not important and dbus is unlikely to be used on servers. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
dbus Launchpad, Ubuntu, Debian |
lucid |
Ignored
|
| precise |
Released
(1.4.18-1ubuntu1.5)
|
|
| saucy |
Released
(1.6.12-0ubuntu10.1)
|
|
| trusty |
Released
(1.6.18-0ubuntu4.1)
|
|
| upstream |
Released
(1.8.4-1,1.6.20)
|
|
|
Patches: upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=cab1c56bb9d70469128d2ae1c40539c0d3b30f13 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=4815aba0d3695afe871e9002ba474ce36c5299b4 upstream: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=72a8759c224ec37b75a7631c7d90ce266a4bf3bd |
||