Your message dated Tue, 06 Jun 2023 17:34:05 +0000
with message-id <[email protected]>
and subject line Bug#1037151: fixed in dbus 1.15.6-1
has caused the Debian Bug report #1037151,
regarding dbus: denial of service when a monitor is active and a message from
the driver cannot be delivered
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037151
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dbus
Version: 1.15.4-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: found -1 1.14.6-1
Control: found -1 1.12.24-0+deb11u1
If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus
traffic, then an unprivileged user with the ability to connect to the
same dbus-daemon can cause a dbus-daemon crash under some circumstances.
When done on the well-known system bus, this is a denial-of-service
vulnerability. Unfortunately, the upstream bug reporter already made
this public information. I'm in the process of releasing dbus 1.15.6,
1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
but I have not received one yet.
Mitigation: This can only be done if a monitoring process such
as dbus-monitor or busctl monitor is active on the same dbus-daemon
instance, which is a privileged operation that can only be done by root
or the Unix uid of the message bus. If no monitoring process is active,
then the vulnerable code is not reached.
My guess is that the security team will not want to release DSAs for this
local denial of service, and it's more appropriate to fix in bookworm
and bullseye via their next point releases. Is that assumption correct?
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.15.6-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Jun 2023 15:06:09 +0100
Source: dbus
Architecture: source
Version: 1.15.6-1
Distribution: experimental
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1033056 1037151
Changes:
dbus (1.15.6-1) experimental; urgency=medium
.
[ Simon McVittie ]
* New upstream development release
- Fixes a denial of service issue if the root or messagebus user is
monitoring messages on the system bus with the Monitoring interface
(dbus-monitor, busctl monitor, gdbus monitor or similar)
(Closes: #1037151)
* d/rules: Tell dh_shlibdeps where to find dbus-tests' private libraries
dbus-tests contains an instrumented/debug build of libdbus in a private
directory, which has more ABI than the production build, and a second
set of tests which depend on that debug build.
* d/rules: Extend arbitrary timeout for tests.
Some mipsel buildds are very slow and have seen the hash test time out
after 30 seconds (it normally takes about 10 on slower machines).
.
[ Helmut Grohne ]
* Mark dbus-daemon and dbus-bin Multi-Arch: foreign (Closes: #1033056)
Checksums-Sha1:
3f42b0ad25c231b44cb97fef7e38eb333b453707 3746 dbus_1.15.6-1.dsc
7256744ea329b8640df9ce2fc4792256f4f5c6c9 1406672 dbus_1.15.6.orig.tar.xz
95866b0b767a549d2b58c6df3be2b2731c66e293 833 dbus_1.15.6.orig.tar.xz.asc
9b7b3905ba019b70b6f9dbf8e4a307b1eabb6087 63092 dbus_1.15.6-1.debian.tar.xz
02c4be4cfb86d8be3439afcc5d9e9fa8af4b9c55 7657 dbus_1.15.6-1_source.buildinfo
Checksums-Sha256:
0a59be587d8e58b80e28322de3e393748ca8f4abb43d6cae51d9c0f5b8c5aa90 3746
dbus_1.15.6-1.dsc
f97f5845f9c4a5a1fb3df67dfa9e16b5a3fd545d348d6dc850cb7ccc9942bd8c 1406672
dbus_1.15.6.orig.tar.xz
55bacc378cf94cdf8b0c23d0ea88e7ffe5c4bb747dc414d953f4467c7543b4fa 833
dbus_1.15.6.orig.tar.xz.asc
1db00a2e848c851345b2208dd5df2ea1c327260cb21331f0c83657a5cf814e6f 63092
dbus_1.15.6-1.debian.tar.xz
c97f7a04f753030c5cbd1c82593eec6fe67e6cffa7c4c4d8b8e29bfc11b8446d 7657
dbus_1.15.6-1_source.buildinfo
Files:
3dcf9c83184ffacdb81fd8b39d44ffa6 3746 admin optional dbus_1.15.6-1.dsc
3aeb649e58cfac18a3e9c0796e6b0c8e 1406672 admin optional dbus_1.15.6.orig.tar.xz
765dc4faf48c4b3556a5eeb51bbfce0b 833 admin optional dbus_1.15.6.orig.tar.xz.asc
e639f9c5aa254714b4de32d5da043301 63092 admin optional
dbus_1.15.6-1.debian.tar.xz
e68512ed7dc9d96a3915068740c46e78 7657 admin optional
dbus_1.15.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmR/bIgACgkQ4FrhR4+B
TE9LhhAAguEvgxiPREvozQKr9cUADKgUY44bUoamPdhDTW48ani52ivQGWvNx4zD
c3g7tuNxESUzBBYvpDmcWIs8swWOa27jNW7VGUaRnkN5qUIiMRTvNt7FXF5BVVFM
pnlamR9enEAvGUNt0VIfCdwv1bZtn8KeKpKLuH+U/sQ37qa+kU0SHvFFT9y33i9A
fft62t2hGQg6fjjYUCvf2Wh4Cr6/FZ+wTx3XgLJD4ywEAaiN+2wRkZ0qCbuGLMWr
nrcUMLfR42YquL279IQB8LsY9JEqzWFxXWMXxDTLzbjxPFAfFlRgGoTJ3wk5jq6f
wD6LNWEinng1JmwF1hWyxuSAAkrfrTqRXUT0b6IoAhG84++TTjg+gU4dSR0SaRR/
hZ/bFZEo/QUMimzVYyNeaF/gOAAetTiJIHtMgkT9an8/UulMc3h4PK2UrcwQtBmM
hHDxHLOhwaAJwsvQNC7CTiI7sbTbThtGIQtbTsA1hYbOZVetY1nFddkGepoTgtRV
37F5/VZy1Ik2YA9hESBgn1kq2cJJlWqRjy8zRnrPDlKh2rW2H6fD9STQWSH/Aqv6
Ui+k8F9MPvzPygfioWTdArWyaDP1u0G9JUjjhXrdhEOnMcRAMv3QPlHKONz4UtUt
KFwCHy3YfhUq8Y0SnvyMFUZtyro/es3FTz7SB0EuOhnuAS3LHkg=
=XsEm
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
