ID CVE-2014-3638
Summary The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
References
Vulnerable Configurations
  • D-Bus Project D-Bus 1.6.0
    cpe:2.3:a:d-bus_project:d-bus:1.6.0
  • D-Bus Project D-Bus 1.6.2
    cpe:2.3:a:d-bus_project:d-bus:1.6.2
  • D-Bus Project D-Bus 1.6.4
    cpe:2.3:a:d-bus_project:d-bus:1.6.4
  • D-Bus Project D-Bus 1.6.6
    cpe:2.3:a:d-bus_project:d-bus:1.6.6
  • D-Bus Project D-Bus 1.6.8
    cpe:2.3:a:d-bus_project:d-bus:1.6.8
  • D-Bus Project D-Bus 1.6.10
    cpe:2.3:a:d-bus_project:d-bus:1.6.10
  • D-Bus Project D-Bus 1.6.12
    cpe:2.3:a:d-bus_project:d-bus:1.6.12
  • D-Bus Project D-Bus 1.6.14
    cpe:2.3:a:d-bus_project:d-bus:1.6.14
  • D-Bus Project D-Bus 1.6.16
    cpe:2.3:a:d-bus_project:d-bus:1.6.16
  • D-Bus Project D-Bus 1.6.18
    cpe:2.3:a:d-bus_project:d-bus:1.6.18
  • D-Bus Project D-Bus 1.6.20
    cpe:2.3:a:d-bus_project:d-bus:1.6.20
  • D-Bus Project D-Bus 1.6.22
    cpe:2.3:a:d-bus_project:d-bus:1.6.22
  • D-Bus Project D-Bus 1.8.0
    cpe:2.3:a:d-bus_project:d-bus:1.8.0
  • D-Bus Project D-Bus 1.8.2
    cpe:2.3:a:d-bus_project:d-bus:1.8.2
  • D-Bus Project D-Bus 1.8.4
    cpe:2.3:a:d-bus_project:d-bus:1.8.4
  • D-Bus Project D-Bus 1.8.6
    cpe:2.3:a:d-bus_project:d-bus:1.8.6
  • OpenSUSE 12.3
    cpe:2.3:o:opensuse:opensuse:12.3
CVSS
Base: 2.1 (as of 01-06-2016 - 15:16)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_DBUS-1-140916.NASL
    description Various denial of service issues were fixed in the DBUS service. - dbus-daemon tracks whether method call messages expect a reply, so that unsolicited replies can be dropped. As currently implemented, if there are n parallel method calls in progress, each method reply takes O(n) CPU time. A malicious user could exploit this by opening the maximum allowed number of parallel connections and sending the maximum number of parallel method calls on each one, causing subsequent method calls to be unreasonably slow, a denial of service. (CVE-2014-3638) - dbus-daemon allows a small number of 'incomplete' connections (64 by default) whose identity has not yet been confirmed. When this limit has been reached, subsequent connections are dropped. Alban's testing indicates that one malicious process that makes repeated connection attempts, but never completes the authentication handshake and instead waits for dbus-daemon to time out and disconnect it, can cause the majority of legitimate connection attempts to fail. (CVE-2014-3639)
    last seen 2019-02-21
    modified 2014-09-23
    plugin id 77755
    published 2014-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77755
    title SuSE 11.3 Security Update : dbus-1 (SAT Patch Number 9733)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2352-1.NASL
    description Simon McVittie discovered that DBus incorrectly handled the file descriptors message limit. A local attacker could use this issue to cause DBus to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3635) Alban Crequy discovered that DBus incorrectly handled a large number of file descriptor messages. A local attacker could use this issue to cause DBus to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3636) Alban Crequy discovered that DBus incorrectly handled certain file descriptor messages. A local attacker could use this issue to cause DBus to maintain persistent connections, possibly resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3637) Alban Crequy discovered that DBus incorrectly handled a large number of parallel connections and parallel message calls. A local attacker could use this issue to cause DBus to consume resources, possibly resulting in a denial of service. (CVE-2014-3638) Alban Crequy discovered that DBus incorrectly handled incomplete connections. A local attacker could use this issue to cause DBus to fail legitimate connection attempts, resulting in a denial of service. (CVE-2014-3639). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 77809
    published 2014-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77809
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : dbus vulnerabilities (USN-2352-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3026.NASL
    description Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon. - CVE-2014-3635 On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or potentially to arbitrary code execution. - CVE-2014-3636 A denial-of-service vulnerability in dbus-daemon allowed local attackers to prevent new connections to dbus-daemon, or disconnect existing clients, by exhausting descriptor limits. - CVE-2014-3637 Malicious local users could create D-Bus connections to dbus-daemon which could not be terminated by killing the participating processes, resulting in a denial-of-service vulnerability. - CVE-2014-3638 dbus-daemon suffered from a denial-of-service vulnerability in the code which tracks which messages expect a reply, allowing local attackers to reduce the performance of dbus-daemon. - CVE-2014-3639 dbus-daemon did not properly reject malicious connections from local users, resulting in a denial-of-service vulnerability.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 77716
    published 2014-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77716
    title Debian DSA-3026-1 : dbus - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17595.NASL
    description - Update to 1.8.12\\r\\n* Fixes various CVE's Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-06-03
    plugin id 80323
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80323
    title Fedora 21 : mingw-dbus-1.8.12-1.fc21 (2014-17595)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-87.NASL
    description This updates fixes multiple (local) denial of services discovered by Alban Crequy and Simon McVittie. CVE-2014-3477 Fix a denial of service (failure to obtain bus name) in newly-activated system services that not all users are allowed to access. CVE-2014-3638 Reduce maximum number of pending replies per connection to avoid algorithmic complexity denial of service. CVE-2014-3639 The daemon now limits the number of unauthenticated connection slots so that malicious processes cannot prevent new connections to the system bus. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 82232
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82232
    title Debian DLA-87-1 : dbus security update
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL17256.NASL
    description The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 85932
    published 2015-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85932
    title F5 Networks BIG-IP : D-Bus vulnerability (SOL17256)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-558.NASL
    description DBUS-1 was upgraded to upstream release 1.8. This brings the version of dbus to the latest stable release from an unstable snapshot 1.7.4 that is know to have several regressions - Upstream changes since 1.7.4 : + Security fixes : - Do not accept an extra fd in the padding of a cmsg message, which could lead to a 4-byte heap buffer overrun. (CVE-2014-3635, fdo#83622; Simon McVittie) - Reduce default for maximum Unix file descriptors passed per message from 1024 to 16, preventing a uid with the default maximum number of connections from exhausting the system bus' file descriptors under Linux's default rlimit. Distributors or system administrators with a restrictive fd limit may wish to reduce these limits further. Additionally, on Linux this prevents a second denial of service in which the dbus-daemon can be made to exceed the maximum number of fds per sendmsg() and disconnect the process that would have received them. (CVE-2014-3636, fdo#82820; Alban Crequy) - Disconnect connections that still have a fd pending unmarshalling after a new configurable limit, pending_fd_timeout (defaulting to 150 seconds), removing the possibility of creating an abusive connection that cannot be disconnected by setting up a circular reference to a connection's file descriptor. (CVE-2014-3637, fdo#80559; Alban Crequy) - Reduce default for maximum pending replies per connection from 8192 to 128, mitigating an algorithmic complexity denial-of-service attack (CVE-2014-3638, fdo#81053; Alban Crequy) - Reduce default for authentication timeout on the system bus from 30 seconds to 5 seconds, avoiding denial of service by using up all unauthenticated connection slots; and when all unauthenticated connection slots are used up, make new connection attempts block instead of disconnecting them. (CVE-2014-3639, fdo#80919; Alban Crequy) - On Linux >0 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, silently drop the message. This prevents an attack in which a malicious client can make dbus-daemon disconnect a system service, which is a local denial of service. (fdo#80163, CVE-2014-3532; Alban Crequy) - Track remaining Unix file descriptors correctly when more than one message in quick succession contains fds. This prevents another attack in which a malicious client can make dbus-daemon disconnect a system service. (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro Martínez Suárez, Simon McVittie, Alban Crequy) - Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service flaw in dbus-daemon, part of the reference implementation of D-Bus. Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate. (CVE-2014-3477, fdo#78979) + Other fixes and enhancements : - Check for libsystemd from systemd >= 209, falling back to the older separate libraries if not found (Umut Tezduyar Lindskog, Simon McVittie) - On Linux, use prctl() to disable core dumps from a test executable that deliberately raises SIGSEGV to test dbus-daemon's handling of that condition (fdo#83772, Simon McVittie) - Fix compilation with --enable-stats (fdo#81043, Gentoo #507232; Alban Crequy) - Improve documentation for running tests on Windows (fdo#41252, Ralf Habacker) - When dbus-launch --exit-with-session starts a dbus-daemon but then cannot attach to a session, kill the dbus-daemon as intended (fdo#74698, Роман Донченко ) - in the CMake build system, add some hints for Linux users cross-compiling Windows D-Bus binaries to be able to run tests under Wine (fdo#41252, Ralf Habacker) - add Documentation key to dbus.service (fdo#77447, Cameron Norman) - in 'dbus-uuidgen --ensure', try to copy systemd's /etc/machine-id to /var/lib/dbus/machine-id instead of generating an entirely new ID (fdo#77941, Simon McVittie) - if dbus-launch receives an X error very quickly, do not kill unrelated processes (fdo#74698, Роман Донченко ) - on Windows, allow up to 8K connections to the dbus-daemon, instead of the previous 64 (fdo#71297; Cristian Onet, Ralf Habacker) - cope with \r\n newlines in regression tests, since on Windows, dbus-daemon.exe uses text mode (fdo#75863, Руслан Ижбулато в) - Enhance the CMake build system to check for GLib and compile/run a subset of the regression tests (fdo#41252, fdo#73495; Ralf Habacker) - don't rely on va_copy(), use DBUS_VA_COPY() wrapper (fdo#72840, Ralf Habacker) - fix compilation of systemd journal support on older systemd versions where sd-journal.h doesn't include syslog.h (fdo#73455, Ralf Habacker) - fix compilation on older MSVC versions by including stdlib.h (fdo#73455, Ralf Habacker) - Allow to appear in an included configuration file (fdo#73475, Matt Hoosier) - If the tests crash with an assertion failure, they no longer default to blocking for a debugger to be attached. Set DBUS_BLOCK_ON_ABORT in the environment if you want the old behaviour. - To improve debuggability, the dbus-daemon and dbus-daemon-eavesdrop tests can be run with an external dbus-daemon by setting DBUS_TEST_DAEMON_ADDRESS in the environment. Test-cases that require an unusually-configured dbus-daemon are skipped. - don't require messages with no INTERFACE to be dispatched (fdo#68597, Simon McVittie) - document 'tcp:bind=...' and 'nonce-tcp:bind=...' (fdo#72301, Chengwei Yang) - define 'listenable' and 'connectable' addresses, and discuss the difference (fdo#61303, Simon McVittie) - support printing Unix file descriptors in dbus-send, dbus-monitor (fdo#70592, Robert Ancell) - don't install systemd units if --disable-systemd is given (fdo#71818, Chengwei Yang) - don't leak memory on out-of-memory while listing activatable or active services (fdo#71526, Radoslaw Pajak) - fix undefined behaviour in a regression test (fdo#69924, DreamNik) - escape Unix socket addresses correctly (fdo#46013, Chengwei Yang) - on SELinux systems, don't assume that SECCLASS_DBUS, DBUS__ACQUIRE_SVC and DBUS__SEND_MSG are numerically equal to their values in the reference policy (fdo#88719, osmond sun) - define PROCESS_QUERY_LIMITED_INFORMATION if missing from MinGW < 4 headers (fdo#71366, Matt Fischer) - define WIN32_LEAN_AND_MEAN to avoid conflicts between winsock.h and winsock2.h (fdo#71405, Matt Fischer) - do not return failure from _dbus_read_nonce() with no error set, preventing a potential crash (fdo#72298, Chengwei Yang) - on BSD systems, avoid some O(1)-per-process memory and fd leaks in kqueue, preventing test failures (fdo#69332, fdo#72213; Chengwei Yang) - fix warning spam on Hurd by not trying to set SO_REUSEADDR on Unix sockets, which doesn't do anything anyway on at least Linux and FreeBSD (fdo#69492, Simon McVittie) - fix use of TCP sockets on FreeBSD and Hurd by tolerating EINVAL from sendmsg() with SCM_CREDS (retrying with plain send()), and looking for credentials more correctly (fdo#69492, Simon McVittie) - ensure that tests run with a temporary XDG_RUNTIME_DIR to avoid getting mixed up in XDG/systemd 'user sessions' (fdo#61301, Simon McVittie) - refresh cached policy rules for existing connections when bus configuration changes (fdo#39463, Chengwei Yang) - If systemd support is enabled, libsystemd-journal is now required. - When activating a non-systemd service under systemd, annotate its stdout/stderr with its bus name in the Journal. Known limitation: because the socket is opened before forking, the process will still be logged as if it had dbus-daemon's process ID and user ID. (fdo#68559, Chengwei Yang) - Document more configuration elements in dbus-daemon(1) (fdo#69125, Chengwei Yang) - Don't leak string arrays or fds if dbus_message_iter_get_args_valist() unpacks them and then encounters an error (fdo#21259, Chengwei Yang) - If compiled with libaudit, retain CAP_AUDIT_WRITE so we can write disallowed method calls to the audit log, fixing a regression in 1.7.6 (fdo#49062, Colin Walters) - path_namespace='/' in match rules incorrectly matched nothing; it now matches everything. (fdo#70799, Simon McVittie) - Directory change notification via dnotify on Linux is no longer supported; it hadn't compiled successfully since 2010 in any case. If you don't have inotify (Linux) or kqueue (*BSD), you will need to send SIGHUP to the dbus-daemon when its configuration changes. (fdo#33001, Chengwei Yang) - Compiling with --disable-userdb-cache is no longer supported; it didn't work since at least 2008, and would lead to an extremely slow dbus-daemon even it worked. (fdo#15589, fdo#17133, fdo#66947; Chengwei Yang) - The DBUS_DISABLE_ASSERTS CMake option didn't actually disable most assertions. It has been renamed to DBUS_DISABLE_ASSERT to be consistent with the Autotools build system. (fdo#66142, Chengwei Yang) - --with-valgrind=auto enables Valgrind instrumentation if and only if valgrind headers are available. The default is still --with-valgrind=no. (fdo#56925, Simon McVittie) - Platforms with no 64-bit integer type are no longer supported. (fdo#65429, Simon McVittie) - GNU make is now (documented to be) required. (fdo#48277, Simon McVittie) - Full test coverage no longer requires dbus-glib, although the tests do not exercise the shared library (only a static copy) if dbus-glib is missing. (fdo#68852, Simon McVittie) - D-Bus Specification 0.22 - Document GetAdtAuditSessionData() and GetConnectionSELinuxSecurityContext() (fdo#54445, Simon) - Fix example .service file (fdo#66481, Chengwei Yang) - Don't claim D-Bus is 'low-latency' (lower than what?), just give factual statements about it supporting async use (fdo#65141, Justin Lee) - Document the contents of .service files, and the fact that system services' filenames are constrained (fdo#66608; Simon McVittie, Chengwei Yang) - Be thread-safe by default on all platforms, even if dbus_threads_init_default() has not been called. For compatibility with older libdbus, library users should continue to call dbus_threads_init_default(): it is harmless to do so. (fdo#54972, Simon McVittie) - Add GetConnectionCredentials() method (fdo#54445, Simon) - New API: dbus_setenv(), a simple wrapper around setenv(). Note that this is not thread-safe. (fdo#39196, Simon) - Add dbus-send --peer=ADDRESS (connect to a given peer-to-peer connection, like --address=ADDRESS in previous versions) and dbus-send --bus=ADDRESS (connect to a given bus, like dbus-monitor --address=ADDRESS). dbus-send --address still exists for backwards compatibility, but is no longer documented. (fdo#48816, Andrey Mazo) - 'dbus-daemon --nofork' is allowed on Windows again. (fdo#68852, Simon McVittie) - Avoid an infinite busy-loop if a signal interrupts waitpid() (fdo#68945, Simon McVittie) - Clean up memory for parent nodes when objects are unexported (fdo#60176, Thomas Fitzsimmons) - Make dbus_connection_set_route_peer_messages(x, FALSE) behave as documented. Previously, it assumed its second parameter was TRUE. (fdo#69165, Chengwei Yang) - Escape addresses containing non-ASCII characters correctly (fdo#53499, Chengwei Yang) - Document search order correctly (fdo#66994, Chengwei Yang) - Don't crash on 'dbus-send --session / x.y.z' which regressed in 1.7.4. (fdo#65923, Chengwei Yang) - If malloc() returns NULL in _dbus_string_init() or similar, don't free an invalid pointer if the string is later freed (fdo#65959, Chengwei Yang) - If malloc() returns NULL in dbus_set_error(), don't va_end() a va_list that was never va_start()ed (fdo#66300, Chengwei Yang) - fix build failure with --enable-stats (fdo#66004, Chengwei Yang) - fix a regression test on platforms with strict alignment (fdo#67279, Colin Walters) - Avoid calling function parameters 'interface' since certain Windows headers have a namespace-polluting macro of that name (fdo#66493, Ivan Romanov) - Assorted Doxygen fixes (fdo#65755, Chengwei Yang) - Various thread-safety improvements to static variables (fdo#68610, Simon McVittie) - Make 'make -j check' work (fdo#68852, Simon McVittie) - Fix a NULL pointer dereference on an unlikely error path (fdo#69327, Sviatoslav Chagaev) - Improve valgrind memory pool tracking (fdo#69326, Sviatoslav Chagaev) - Don't over-allocate memory in dbus-monitor (fdo#69329, Sviatoslav Chagaev) - dbus-monitor can monitor dbus-daemon < 1.5.6 again (fdo#66107, Chengwei Yang) - If accept4() fails with EINVAL, as it can on older Linux kernels with newer glibc, try accept() instead of going into a busy-loop. (fdo#69026, Chengwei Yang) - If socket() or socketpair() fails with EINVAL or EPROTOTYPE, for instance on Hurd or older Linux with a new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino Toscano, Chengwei Yang) - Fix a file descriptor leak on an error code path. (fdo#69182, Sviatoslav Chagaev) - dbus-run-session: clear some unwanted environment variables (fdo#39196, Simon) - dbus-run-session: compile on FreeBSD (fdo#66197, Chengwei Yang) - Don't fail the autolaunch test if there is no DISPLAY (fdo#40352, Simon) - Use dbus-launch from the builddir for testing, not the installed copy (fdo#37849, Chengwei Yang) - Fix compilation if writev() is unavailable (fdo#69409, Vasiliy Balyasnyy) - Remove broken support for LOCAL_CREDS credentials passing, and document where each credential-passing scheme is used (fdo#60340, Simon McVittie) - Make autogen.sh work on *BSD by not assuming GNU coreutils functionality fdo#35881, fdo#69787; Chengwei Yang) - dbus-monitor: be portable to NetBSD (fdo#69842, Chengwei Yang) - dbus-launch: stop using non-portable asprintf (fdo#37849, Simon) - Improve error reporting from the setuid activation helper (fdo#66728, Chengwei Yang) - Remove unavailable command-line options from 'dbus-daemon --help' (fdo#42441, Ralf Habacker) - Add support for looking up local TCPv4 clients' credentials on Windows XP via the undocumented AllocateAndGetTcpExTableFromStack function (fdo#66060, Ralf Habacker) - Fix insufficient dependency-tracking (fdo#68505, Simon McVittie) - Don't include wspiapi.h, fixing a compiler warning (fdo#68852, Simon McVittie) - add DBUS_ENABLE_ASSERT, DBUS_ENABLE_CHECKS for less confusing conditionals (fdo#66142, Chengwei Yang) - improve verbose-mode output (fdo#63047, Colin Walters) - consolidate Autotools and CMake build (fdo#64875, Ralf Habacker) - fix various unused variables, unusual build configurations etc. (fdo#65712, fdo#65990, fdo#66005, fdo#66257, fdo#69165, fdo#69410, fdo#70218; Chengwei Yang, Vasiliy Balyasnyy) - dbus-cve-2014-3533.patch: Add patch for CVE-2014-3533 to fix (fdo#63127) • CVE-2012-3524: Don't access environment variables (fdo#52202) (fdo#51521, Dave Reisner) • Remove an incorrect assertion from DBusTransport (fdo#51657, (fdo#51406, Simon McVittie) (fdo#51032, Simon McVittie) (fdo#34671, Simon McVittie) · Check for libpthread under CMake on Unix (fdo#47237, Simon McVittie) spec-compliance (fdo#48580, David Zeuthen) non-root when using OpenBSD install(1) (fdo#48217, Antoine Jacoutot) (fdo#45896, Simon McVittie) (fdo#39549, Simon McVittie) invent their own 'union of everything' type (fdo#11191, Simon find(1) (fdo#33840, Simon McVittie) (fdo#46273, Alban Crequy) again on Win32, but not on WinCE (fdo#46049, Simon (fdo#47321, Andoni Morales Alastruey) (fdo#39231, fdo#41012; Simon McVittie) - Add a regression test for fdo#38005 (fdo#39836, Simon McVittie) a service file entry for activation (fdo#39230, Simon McVittie) (fdo#24317, #34870; Will Thompson, David Zeuthen, Simon McVittie) and document it better (fdo#31818, Will Thompson) • Let the bus daemon implement more than one interface (fdo#33757, • Optimize _dbus_string_replace_len to reduce waste (fdo#21261, (fdo#35114, Simon McVittie) • Add dbus_type_is_valid as public API (fdo#20496, Simon McVittie) to unknown interfaces in the bus daemon (fdo#34527, Lennart Poettering) (fdo#32245; Javier Jardón, Simon McVittie) • Correctly give XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496, in embedded environments (fdo#19997, NB#219964; Simon McVittie) • Install the documentation, and an index for Devhelp (fdo#13495, booleans when sending them (fdo#16338, NB#223152; Simon McVittie) errors to dbus-shared.h (fdo#34527, Lennart Poettering) data (fdo#10887, Simon McVittie) .service files (fdo#19159, Sven Herzberg) (fdo#35750, Colin Walters) (fdo#32805, Mark Brand) which could result in a busy-loop (fdo#32992, NB#200248; possibly • Fix failure to detect abstract socket support (fdo#29895) (fdo#32262, NB#180486) • Improve some error code paths (fdo#29981, fdo#32264, fdo#32262, fdo#33128, fdo#33277, fdo#33126, NB#180486) • Avoid possible symlink attacks in /tmp during compilation (fdo#32854) • Tidy up dead code (fdo#25306, fdo#33128, fdo#34292, NB#180486) • Improve gcc malloc annotations (fdo#32710) • Documentation improvements (fdo#11190) • Avoid readdir_r, which is difficult to use correctly (fdo#8284, fdo#15922, LP#241619) • Cope with invalid files in session.d, system.d (fdo#19186, • Don't distribute generated files that embed our builddir (fdo#30285, fdo#34292) (fdo#33474, LP#381063) with lcov HTML reports and --enable-compiler-coverage (fdo#10887) · support credentials-passing (fdo#32542) · opt-in to thread safety (fdo#33464)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 77845
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77845
    title openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1228-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16243.NASL
    description Update to 1.6.28 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-06-03
    plugin id 79924
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79924
    title Fedora 20 : dbus-1.6.28-1.fc20 (2014-16243)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-12 (D-Bus: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in D-Bus. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-06-03
    plugin id 79965
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79965
    title GLSA-201412-12 : D-Bus: Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_38242D513E5811E4AC2FBCAEC565249C.NASL
    description Simon McVittie reports : Do not accept an extra fd in the padding of a cmsg message, which could lead to a 4-byte heap buffer overrun (CVE-2014-3635). Reduce default for maximum Unix file descriptors passed per message from 1024 to 16, preventing a uid with the default maximum number of connections from exhausting the system bus' file descriptors under Linux's default rlimit (CVE-2014-3636). Disconnect connections that still have a fd pending unmarshalling after a new configurable limit, pending_fd_timeout (defaulting to 150 seconds), removing the possibility of creating an abusive connection that cannot be disconnected by setting up a circular reference to a connection's file descriptor (CVE-2014-3637). Reduce default for maximum pending replies per connection from 8192 to 128, mitigating an algorithmic complexity denial-of-service attack (CVE-2014-3638). Reduce default for authentication timeout on the system bus from 30 seconds to 5 seconds, avoiding denial of service by using up all unauthenticated connection slots; and when all unauthenticated connection slots are used up, make new connection attempts block instead of disconnecting them (CVE-2014-3639).
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 77733
    published 2014-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77733
    title FreeBSD : dbus -- multiple vulnerabilities (38242d51-3e58-11e4-ac2f-bcaec565249c)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-214.NASL
    description Updated dbus packages fixes the following security issues : Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon : On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or potentially to arbitrary code execution (CVE-2014-3635). A denial-of-service vulnerability in dbus-daemon allowed local attackers to prevent new connections to dbus-daemon, or disconnect existing clients, by exhausting descriptor limits (CVE-2014-3636). Malicious local users could create D-Bus connections to dbus-daemon which could not be terminated by killing the participating processes, resulting in a denial-of-service vulnerability (CVE-2014-3637). dbus-daemon suffered from a denial-of-service vulnerability in the code which tracks which messages expect a reply, allowing local attackers to reduce the performance of dbus-daemon (CVE-2014-3638). dbus-daemon did not properly reject malicious connections from local users, resulting in a denial-of-service vulnerability (CVE-2014-3639). The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as CVE-2014-3636 part A, which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. By queuing up the maximum allowed number of fds, a malicious sender could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically 1024 on Linux). This would act as a denial of service in two ways : - new clients would be unable to connect to the dbus-daemon - when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSG_CTRUNC by disconnecting the sender, causing denial of service to that sender. This update also resolves the CVE-2014-7824 security vulnerability.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 79322
    published 2014-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79322
    title Mandriva Linux Security Advisory : dbus (MDVSA-2014:214)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16227.NASL
    description Update to 1.6.28 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-06-03
    plugin id 80130
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80130
    title Fedora 19 : dbus-1.6.28-1.fc19 (2014-16227)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17570.NASL
    description - Update to 1.8.12\\r\\n* Fixes various CVE's Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-06-03
    plugin id 80317
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80317
    title Fedora 20 : mingw-dbus-1.6.28-1.fc20 (2014-17570)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-557.NASL
    description The DBUS-1 service and libraries were updated to upstream release 1.6.24 fixing security issues and bugs. Upstream changes since dbus 1.6.8 + Security fixes - Do not accept an extra fd in the padding of a cmsg message, which could lead to a 4-byte heap buffer overrun. (CVE-2014-3635, fdo#83622; Simon McVittie) - Reduce default for maximum Unix file descriptors passed per message from 1024 to 16, preventing a uid with the default maximum number of connections from exhausting the system bus' file descriptors under Linux's default rlimit. Distributors or system administrators with a more restrictive fd limit may wish to reduce these limits further. Additionally, on Linux this prevents a second denial of service in which the dbus-daemon can be made to exceed the maximum number of fds per sendmsg() and disconnect the process that would have received them. (CVE-2014-3636, fdo#82820; Alban Crequy) - Disconnect connections that still have a fd pending unmarshalling after a new configurable limit, pending_fd_timeout (defaulting to 150 seconds), removing the possibility of creating an abusive connection that cannot be disconnected by setting up a circular reference to a connection's file descriptor. (CVE-2014-3637, fdo#80559; Alban Crequy) - Reduce default for maximum pending replies per connection from 8192 to 128, mitigating an algorithmic complexity denial-of-service attack (CVE-2014-3638, fdo#81053; Alban Crequy) - Reduce default for authentication timeout on the system bus from 30 seconds to 5 seconds, avoiding denial of service by using up all unauthenticated connection slots; and when all unauthenticated connection slots are used up, make new connection attempts block instead of disconnecting them. (CVE-2014-3639, fdo#80919; Alban Crequy) - On Linux >= 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, silently drop the message. This prevents an attack in which a malicious client can make dbus-daemon disconnect a system service, which is a local denial of service. (fdo#80163, CVE-2014-3532; Alban Crequy) - Track remaining Unix file descriptors correctly when more than one message in quick succession contains fds. This prevents another attack which a malicious client can make dbus-daemon disconnect a system service. (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro Martínez Suárez, Simon McVittie, Alban Crequy) - Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service flaw in dbus-daemon, part of the reference implementation of D-Bus. Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate. (CVE-2014-3477, fdo#78979) - CVE-2013-2168: Fix misuse of va_list that could be used as a denial of service for system services. Vulnerability reported by Alexandru Cornea. (Simon) + Other fixes - Don't leak memory on out-of-memory while listing activatable or active services (fdo#71526, Radoslaw Pajak) - fix undefined behaviour in a regression test (fdo#69924, DreamNik) - path_namespace='/' in match rules incorrectly matched nothing; it now matches everything. (fdo#70799, Simon McVittie) - Make dbus_connection_set_route_peer_messages(x, FALSE) behave as documented. Previously, it assumed its second parameter was TRUE. (fdo#69165, Chengwei Yang) - Fix a NULL pointer dereference on an unlikely error path (fdo#69327, Sviatoslav Chagaev) - If accept4() fails with EINVAL, as it can on older Linux kernels with newer glibc, try accept() instead of going into a busy-loop. (fdo#69026, Chengwei Yang) - If socket() or socketpair() fails with EINVAL or EPROTOTYPE, for instance on Hurd or older Linux with a new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino Toscano, Chengwei Yang) - Fix a file descriptor leak on an error code path. (fdo#69182, Sviatoslav Chagaev) - Fix compilation if writev() is unavailable (fdo#69409, Vasiliy Balyasnyy) - Avoid an infinite busy-loop if a signal interrupts waitpid() (fdo#68945, Simon McVittie) - Escape addresses containing non-ASCII characters correctly (fdo#53499, Chengwei Yang) - If malloc() returns NULL in _dbus_string_init() or similar, don't free an invalid pointer if the string is later freed (fdo#65959, Chengwei Yang) - If malloc() returns NULL in dbus_set_error(), don't va_end() a va_list that was never va_start()ed (fdo#66300, Chengwei Yang) - Fix a regression test on platforms with strict alignment (fdo#67279, Colin Walters) - Avoid calling function parameters 'interface' since certain Windows headers have a namespace-polluting macro of that name (fdo#66493, Ivan Romanov) - Make 'make -j check' work (fdo#68852, Simon McVittie) - In dbus-daemon, don't crash if a .service file starts with key=value (fdo#60853, Chengwei Yang) - Fix an assertion failure if we try to activate systemd services before systemd connects to the bus (fdo#50199, Chengwei Yang) - Avoid compiler warnings for ignoring the return from write() (Chengwei Yang) - Following Unicode Corrigendum #9, the noncharacters U+nFFFE, U+nFFFF, U+FDD0..U+FDEF are allowed in UTF-8 strings again. (fdo#63072, Simon McVittie) - Diagnose incorrect use of dbus_connection_get_data() with negative slot (i.e. before allocating the slot) rather than returning junk (fdo#63127, Dan Williams) - In the activation helper, when compiled for tests, do not reset the system bus address, fixing the regression tests. (fdo#52202, Simon) - Fix building with Valgrind 3.8, at the cost of causing harmless warnings with Valgrind 3.6 on some compilers (fdo#55932, Arun Raghavan) - Don't leak temporary fds pointing to /dev/null (fdo#56927, Michel HERMIER) - Create session.d, system.d directories under CMake (fdo#41319, Ralf Habacker) - Include alloca.h for alloca() if available, fixing compilation on Solaris 10 (fdo#63071, Dagobert Michelsen)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 77890
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77890
    title openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1239-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16147.NASL
    description Update to 1.8.12 (#1168438) - Fixes CVE-2014-3635 (fd.o#83622) - Fixes CVE-2014-3636 (fd.o#82820) - Fixes CVE-2014-3637 (fd.o#80559) - Fixes CVE-2014-3638 (fd.o#81053) - Fixes CVE-2014-3639 (fd.o#80919) - Fixes CVE-2014-7824 (fd.o#85105) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-06-03
    plugin id 80060
    published 2014-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80060
    title Fedora 21 : dbus-1.8.12-1.fc21 (2014-16147)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1037.NASL
    description According to the versions of the dbus packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. - Security Fix(es) - dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.(CVE-2014-3532) - dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.(CVE-2014-3533) - D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.(CVE-2015-0245) - D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.(CVE-2014-3636) - The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.(CVE-2014-3477) - D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.(CVE-2014-3637) - Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.(CVE-2014-3635) - The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.(CVE-2014-3638) - The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.(CVE-2014-3639) - D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.(CVE-2014-7824) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99800
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99800
    title EulerOS 2.0 SP1 : dbus (EulerOS-SA-2016-1037)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-176.NASL
    description Updated dbus packages fix multiple vulnerabilities : A denial of service vulnerability in D-Bus before 1.6.20 allows a local attacker to cause a bus-activated service that is not currently running to attempt to start, and fail, denying other users access to this service Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate (CVE-2014-3477). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or potentially to arbitrary code execution (CVE-2014-3635). A denial-of-service vulnerability in dbus-daemon allowed local attackers to prevent new connections to dbus-daemon, or disconnect existing clients, by exhausting descriptor limits (CVE-2014-3636). Malicious local users could create D-Bus connections to dbus-daemon which could not be terminated by killing the participating processes, resulting in a denial-of-service vulnerability (CVE-2014-3637). dbus-daemon suffered from a denial-of-service vulnerability in the code which tracks which messages expect a reply, allowing local attackers to reduce the performance of dbus-daemon (CVE-2014-3638). dbus-daemon did not properly reject malicious connections from local users, resulting in a denial-of-service vulnerability (CVE-2014-3639). The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as CVE-2014-3636 part A, which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. By queuing up the maximum allowed number of fds, a malicious sender could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically 1024 on Linux). This would act as a denial of service in two ways : - new clients would be unable to connect to the dbus-daemon - when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSG_CTRUNC by disconnecting the sender, causing denial of service to that sender. This update resolves the issue (CVE-2014-7824). non-systemd processes can make dbus-daemon think systemd failed to activate a system service, resulting in an error reply back to the requester, causing a local denial of service (CVE-2015-0245).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82451
    published 2015-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82451
    title Mandriva Linux Security Advisory : dbus (MDVSA-2015:176)
refmap via4
confirm
debian DSA-3026
mandriva MDVSA-2015:176
mlist [oss-security] 20140916 CVE-2014-3635 to 3639: security issues in D-Bus < 1.8.8
sectrack 1030864
secunia
  • 61378
  • 61431
suse
  • SUSE-SU-2014:1146
  • openSUSE-SU-2014:1239
ubuntu USN-2352-1
Last major update 06-01-2017 - 22:00
Published 22-09-2014 - 11:55
Last modified 30-10-2018 - 12:27
Back to Top