[Pkg-utopia-maintainers] Bug#1037151: dbus: denial of service when a monitor is active and a message from the driver cannot be delivered

Salvatore Bonaccorso carnil at debian.org
Wed Jun 7 12:10:57 BST 2023


Hi Simon,

On Tue, Jun 06, 2023 at 02:36:01PM +0100, Simon McVittie wrote:
> Package: dbus
> Version: 1.15.4-1
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> Control: found -1 1.14.6-1
> Control: found -1 1.12.24-0+deb11u1
> 
> If a privileged user with control over the dbus-daemon is using the
> org.freedesktop.DBus.Monitoring interface to monitor message bus
> traffic, then an unprivileged user with the ability to connect to the
> same dbus-daemon can cause a dbus-daemon crash under some circumstances.
> 
> When done on the well-known system bus, this is a denial-of-service
> vulnerability. Unfortunately, the upstream bug reporter already made
> this public information. I'm in the process of releasing dbus 1.15.6,
> 1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
> but I have not received one yet.
> 
> Mitigation: This can only be done if a monitoring process such
> as dbus-monitor or busctl monitor is active on the same dbus-daemon
> instance, which is a privileged operation that can only be done by root
> or the Unix uid of the message bus. If no monitoring process is active,
> then the vulnerable code is not reached.
> 
> My guess is that the security team will not want to release DSAs for this
> local denial of service, and it's more appropriate to fix in bookworm
> and bullseye via their next point releases. Is that assumption correct?

Yes that sounds fine to do in point release.

Regards,
Salvatore



More information about the Pkg-utopia-maintainers mailing list