CVE-2015-0245

Priority
Medium
Description
D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x
before 1.9.10 does not validate the source of ActivationFailure signals,
which allows local users to cause a denial of service (activation failure
error returned) by leveraging a race condition involving sending an
ActivationFailure signal before systemd responds.
References
Bugs
Notes
 sarnold> The policy change is recommended for stable use, though the
  code-based changes were made for platforms where uid==0 may not be
  omnipotent -- we should probably use both in our packages, or at least
  both for the versions with distro-patched AppArmor support.
Assigned-to
mdeslaur
Package
Source: dbus (LP Ubuntu Debian)
Upstream:released (1.8.16-1)
Ubuntu 17.10 (Artful Aardvark):not-affected (1.10.6-1ubuntu3)
Ubuntu 12.04 ESM (Precise Pangolin):released (1.4.18-1ubuntu1.8)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.6.18-0ubuntu4.4)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1.10.6-1ubuntu3)
Ubuntu 17.04 (Zesty Zapus):not-affected (1.10.6-1ubuntu3)
Patches:
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?id=6dbd09fedc396c53b25ea73c6c8a278beca349c7 (via policy)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?id=aaea59916398d1c590490edb0471a01bcf20e6d7 (via code, p1)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?id=03c5e161752fe1ff4925955800ca9c78d09a6e0c (via code, p2)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=6dbd09fedc396c53b25ea73c6c8a278beca349c7 (1.8)
Upstream:http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.6&id=f9697e04f1c9871cb54a99f087e97e4bb9e41e06 (1.6)
More Information

Updated: 2017-10-17 19:14:09 UTC (commit 13537)