CVE-2014-3477

Priority
Medium
Description
The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and
1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a
client when the client is prohibited from accessing the service, which
allows local users to cause a denial of service (initialization failure and
exit) or possibly conduct a side-channel attack via a D-Bus message to an
inactive service.
References
Bugs
Notes
mdeslaur> we will not be backporting this fix to lucid as the impact is
mdeslaur> not important and dbus is unlikely to be used on servers.
Assigned-to
mdeslaur
Package
Source: dbus (LP Ubuntu Debian)
Upstream:released (1.8.4-1,1.6.20)
Ubuntu 10.04 LTS (Lucid Lynx):ignored
Ubuntu 12.04 LTS (Precise Pangolin):released (1.4.18-1ubuntu1.5)
Ubuntu 13.10 (Saucy Salamander):released (1.6.12-0ubuntu10.1)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.6.18-0ubuntu4.1)
Ubuntu 14.10 (Utopic Unicorn):released (1.6.18-0ubuntu9)
Patches:
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567 (1.8)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=cab1c56bb9d70469128d2ae1c40539c0d3b30f13 (1.6)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=4815aba0d3695afe871e9002ba474ce36c5299b4 (1.4)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=72a8759c224ec37b75a7631c7d90ce266a4bf3bd (1.2)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-07-10 00:14:20 UTC (commit 8222)