-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:176 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : dbus Date : March 30, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated dbus packages fix multiple vulnerabilities: A denial of service vulnerability in D-Bus before 1.6.20 allows a local attacker to cause a bus-activated service that is not currently running to attempt to start, and fail, denying other users access to this service Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate (CVE-2014-3477). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or potentially to arbitrary code execution (CVE-2014-3635). A denial-of-service vulnerability in dbus-daemon allowed local attackers to prevent new connections to dbus-daemon, or disconnect existing clients, by exhausting descriptor limits (CVE-2014-3636). Malicious local users could create D-Bus connections to dbus-daemon which could not be terminated by killing the participating processes, resulting in a denial-of-service vulnerability (CVE-2014-3637). dbus-daemon suffered from a denial-of-service vulnerability in the code which tracks which messages expect a reply, allowing local attackers to reduce the performance of dbus-daemon (CVE-2014-3638). dbus-daemon did not properly reject malicious connections from local users, resulting in a denial-of-service vulnerability (CVE-2014-3639). The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as CVE-2014-3636 part A, which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. By queuing up the maximum allowed number of fds, a malicious sender could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically 1024 on Linux). This would act as a denial of service in two ways: * new clients would be unable to connect to the dbus-daemon * when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSG_CTRUNC by disconnecting the sender, causing denial of service to that sender. This update resolves the issue (CVE-2014-7824). non-systemd processes can make dbus-daemon think systemd failed to activate a system service, resulting in an error reply back to the requester, causing a local denial of service (CVE-2015-0245). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7824 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245 http://advisories.mageia.org/MGASA-2014-0266.html http://advisories.mageia.org/MGASA-2014-0294.html http://advisories.mageia.org/MGASA-2014-0395.html http://advisories.mageia.org/MGASA-2014-0457.html http://advisories.mageia.org/MGASA-2015-0071.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 4c85ec34d47fb953f2433bf88fce54a2 mbs2/x86_64/dbus-1.6.18-3.1.mbs2.x86_64.rpm 403eb9b553300e5047e2ddc6ff5ec5eb mbs2/x86_64/dbus-doc-1.6.18-3.1.mbs2.noarch.rpm c1ee9cbf21bf2950e84c2b9492f83115 mbs2/x86_64/dbus-x11-1.6.18-3.1.mbs2.x86_64.rpm ec6f98afb3cbe37c6e6fe1810cfdc661 mbs2/x86_64/lib64dbus1_3-1.6.18-3.1.mbs2.x86_64.rpm 1e09c319aeef5f11776bdddf1122dc97 mbs2/x86_64/lib64dbus-devel-1.6.18-3.1.mbs2.x86_64.rpm 4e03062a15901014196d248d2ff03794 mbs2/SRPMS/dbus-1.6.18-3.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVGQT2mqjQ0CJFipgRAgO/AKCBAPOsYvHsjKwLt5sj544QLjj14wCcD+FE MOoQRPbV7iRulHZ6WK9r7t0= =rDgp -----END PGP SIGNATURE-----
