[Bug 1632239] Re: dbus in Ubuntu has a format string vulnerability (fd.o #98157)
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Nov 17 12:50:35 UTC 2016
This was fixed by https://www.ubuntu.com/usn/usn-3116-1/
Thanks for the bug report!
** Changed in: dbus (Ubuntu)
Status: New => Fix Released
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1632239
Title:
dbus in Ubuntu has a format string vulnerability (fd.o #98157)
Status in dbus package in Ubuntu:
Fix Released
Bug description:
<http://www.openwall.com/lists/oss-security/2016/10/10/9>:
"""
Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Versions affected: dbus >= 1.4.0
Mitigated in: dbus >= 1.9.10, 1.8.x >= 1.8.16, 1.6.x >= 1.6.30
Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
Exploitable by: local users
Impact: unknown, possibly arbitrary code execution
Reporter: Simon McVittie, Collabora Ltd.
D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.
A format string vulnerability in the reference bus implementation,
dbus-daemon, could potentially allow local users to cause arbitrary
code execution or denial of service.
In versions of dbus-daemon that are also vulnerable to CVE-2015-0245,
this format string vulnerability is available to all local users.
These versions should be patched or updated immediately.
"""
dbus in Ubuntu 12.04 LTS (precise), 14.04 LTS (trusty), 15.04 (vivid)
appears to be vulnerable to this, because CVE-2015-0245 was never
addressed in those suites.
Because the patch for this bug is so simple, I would also recommend
patching the suites that already have a fix for CVE-2015-0245, in case
we were wrong in our assessment of the security exposure.
In suites where you are willing to update to the current upstream
version from the same branch, please do so (that's what I have done in
Debian stable and unstable). For suites with tighter change-control,
there is a one-line patch on the oss-security advisory.
As D-Bus' de facto release manager, I aim to make stable branches
(x.y.z where y is an even number) suitable for use by change-averse
distributions like Debian stable. Debian 8 post-release updates
continue to follow the latest 1.8.x release. Please inform upstream if
there are changes going into stable branches that Ubuntu considers to
be excessive.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1632239/+subscriptions
More information about the foundations-bugs
mailing list