[v3.0] dbus: incomplit fix of the known issue (CVE-2014-7824)
The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as “CVE-2014-3636 part A”, which is repeated below. Preventing that attack requires raising the system dbus-daemon’s RLIMIT_NOFILE (ulimit -n) to a higher value. CVE-2014-7824 has been allocated for this vulnerability.
Tracked as: https://bugs.freedesktop.org/show\_bug.cgi?id=85105
Impact: local denial of service
Access required: local
Versions believed to be vulnerable: dbus >= 1.3.0
Fixed in: dbus 1.6.x >= 1.6.26, 1.8.x >= 1.8.10, all versions
>= 1.9.2
Credit: discovered by Simon McVittie at Collabora Ltd.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q4/580
PATCH:
http://seclists.org/oss-sec/2014/q4/att-580/0001-CVE-2014-7824-set-fd-rlimit-to-64k-for-the-system-db.patch
(from redmine: issue id 3655, created on 2014-12-24, closed on 2015-01-13)
- Relations:
- parent #3652 (closed)
- Changesets:
- Revision f947fc98 by Natanael Copa on 2015-01-12T16:53:51Z:
main/dbus: security upgrade to 1.8.14 (CVE-2014-7824)
fixes #3655