Package: dbus
Version: 1.15.4-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: found -1 1.14.6-1
Control: found -1 1.12.24-0+deb11u1
If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus
traffic, then an unprivileged user with the ability to connect to the
same dbus-daemon can cause a dbus-daemon crash under some circumstances.
When done on the well-known system bus, this is a denial-of-service
vulnerability. Unfortunately, the upstream bug reporter already made
this public information. I'm in the process of releasing dbus 1.15.6,
1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
but I have not received one yet.
Mitigation: This can only be done if a monitoring process such
as dbus-monitor or busctl monitor is active on the same dbus-daemon
instance, which is a privileged operation that can only be done by root
or the Unix uid of the message bus. If no monitoring process is active,
then the vulnerable code is not reached.
My guess is that the security team will not want to release DSAs for this
local denial of service, and it's more appropriate to fix in bookworm
and bullseye via their next point releases. Is that assumption correct?
Thanks,
smcv
