CVE-2014-3477

Priority
Medium
Description
The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and
1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a
client when the client is prohibited from accessing the service, which
allows local users to cause a denial of service (initialization failure and
exit) or possibly conduct a side-channel attack via a D-Bus message to an
inactive service.
References
Bugs
Notes
 mdeslaur> we will not be backporting this fix to lucid as the impact is
 mdeslaur> not important and dbus is unlikely to be used on servers.
Assigned-to
mdeslaur
Package
Source: dbus (LP Ubuntu Debian)
Upstream:released (1.8.4-1,1.6.20)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.4.18-1ubuntu1.5)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.6.18-0ubuntu4.1)
Patches:
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567 (1.8)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=cab1c56bb9d70469128d2ae1c40539c0d3b30f13 (1.6)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=4815aba0d3695afe871e9002ba474ce36c5299b4 (1.4)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=72a8759c224ec37b75a7631c7d90ce266a4bf3bd (1.2)
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-29 20:42:34 UTC (commit 9756)