Hi Simon, On Tue, Jun 06, 2023 at 02:36:01PM +0100, Simon McVittie wrote: > Package: dbus > Version: 1.15.4-1 > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team <[email protected]> > Control: found -1 1.14.6-1 > Control: found -1 1.12.24-0+deb11u1 > > If a privileged user with control over the dbus-daemon is using the > org.freedesktop.DBus.Monitoring interface to monitor message bus > traffic, then an unprivileged user with the ability to connect to the > same dbus-daemon can cause a dbus-daemon crash under some circumstances. > > When done on the well-known system bus, this is a denial-of-service > vulnerability. Unfortunately, the upstream bug reporter already made > this public information. I'm in the process of releasing dbus 1.15.6, > 1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID, > but I have not received one yet. > > Mitigation: This can only be done if a monitoring process such > as dbus-monitor or busctl monitor is active on the same dbus-daemon > instance, which is a privileged operation that can only be done by root > or the Unix uid of the message bus. If no monitoring process is active, > then the vulnerable code is not reached. > > My guess is that the security team will not want to release DSAs for this > local denial of service, and it's more appropriate to fix in bookworm > and bullseye via their next point releases. Is that assumption correct?
Yes that sounds fine to do in point release. Regards, Salvatore _______________________________________________ Pkg-utopia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
