CVE-2015-0245 in Ubuntu

CVE-2015-0245

Priority

Description

D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x
before 1.9.10 does not validate the source of ActivationFailure signals,
which allows local users to cause a denial of service (activation failure
error returned) by leveraging a race condition involving sending an
ActivationFailure signal before systemd responds.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245
http://www.openwall.com/lists/oss-security/2015/02/09/6
https://ubuntu.com/security/notices/USN-3116-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777545

Assigned-to

mdeslaur

Notes

seth-arnold

The policy change is recommended for stable use, though the
code-based changes were made for platforms where uid==0 may not be
omnipotent -- we should probably use both in our packages, or at least
both for the versions with distro-patched AppArmor support.

Package

Source: dbus (LP Ubuntu Debian)

Upstream:	released (1.8.16-1)
Ubuntu 16.04 ESM (Xenial Xerus):	not-affected (1.10.6-1ubuntu3)
Ubuntu 14.04 ESM (Trusty Tahr):	released (1.6.18-0ubuntu4.4)
Ubuntu 20.04 FIPS Compliant (Focal Fossa):	not-affected (1.10.6-1ubuntu3)

Patches:

Upstream:	(via
Upstream:	(via
Upstream:	(via
Upstream:	http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=6dbd09fedc396c53b25ea73c6c8a278beca349c7 (1.8)
Upstream:	http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=f9697e04f1c9871cb54a99f087e97e4bb9e41e06 (1.6)

More Information

Updated: 2022-02-11 00:53:43 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)