Your message dated Sun, 11 Jun 2023 11:51:16 +0000
with message-id <[email protected]>
and subject line Bug#1037151: fixed in dbus 1.14.8-1
has caused the Debian Bug report #1037151,
regarding dbus: CVE-2023-34969: denial of service when a monitor is active and
a message from the driver cannot be delivered
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037151
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dbus
Version: 1.15.4-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: found -1 1.14.6-1
Control: found -1 1.12.24-0+deb11u1
If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus
traffic, then an unprivileged user with the ability to connect to the
same dbus-daemon can cause a dbus-daemon crash under some circumstances.
When done on the well-known system bus, this is a denial-of-service
vulnerability. Unfortunately, the upstream bug reporter already made
this public information. I'm in the process of releasing dbus 1.15.6,
1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
but I have not received one yet.
Mitigation: This can only be done if a monitoring process such
as dbus-monitor or busctl monitor is active on the same dbus-daemon
instance, which is a privileged operation that can only be done by root
or the Unix uid of the message bus. If no monitoring process is active,
then the vulnerable code is not reached.
My guess is that the security team will not want to release DSAs for this
local denial of service, and it's more appropriate to fix in bookworm
and bullseye via their next point releases. Is that assumption correct?
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.14.8-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Jun 2023 15:05:50 +0100
Source: dbus
Architecture: source
Version: 1.14.8-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1033056 1037151
Changes:
dbus (1.14.8-1) unstable; urgency=medium
.
[ Simon McVittie ]
* New upstream stable release
- Fixes a denial of service issue if the root or messagebus user is
monitoring messages on the system bus with the Monitoring interface
(dbus-monitor, busctl monitor, gdbus monitor or similar)
(Closes: #1037151)
.
[ Helmut Grohne ]
* Mark dbus-daemon and dbus-bin Multi-Arch: foreign (Closes: #1033056)
Checksums-Sha1:
0a4056326e758b48d68c5b9df4662508475eecd9 3744 dbus_1.14.8-1.dsc
6db8e169247b8455a60720929d0de94a765db799 1371236 dbus_1.14.8.orig.tar.xz
cd6243347bb04e727c5b68a10251c61e3020dd67 833 dbus_1.14.8.orig.tar.xz.asc
cfc6d81220be67167d857456e56397e778aa0545 62568 dbus_1.14.8-1.debian.tar.xz
3368aa1a593482a7ffc1e2dab4092b83d6a1a81c 7598 dbus_1.14.8-1_source.buildinfo
Checksums-Sha256:
cfc84822a907ac0bcc823e4cf81f427496acbcfe85d6c922c4d3e91cfd2b33fa 3744
dbus_1.14.8-1.dsc
a6bd5bac5cf19f0c3c594bdae2565a095696980a683a0ef37cb6212e093bde35 1371236
dbus_1.14.8.orig.tar.xz
ec02e30929a3ee0bca3a64b273dfe92d9272674817f69752fffd51e7337e846f 833
dbus_1.14.8.orig.tar.xz.asc
89086140e6e1adb1725e324289811a069387c26abcb0ffdb1f0119cbfc7e02bb 62568
dbus_1.14.8-1.debian.tar.xz
6ab59eb68ae82f90c6d61266ca35b6fdd90c804cfe2ebc72c6e8f4b1dd2ed985 7598
dbus_1.14.8-1_source.buildinfo
Files:
8b832a4e362b887af534ff95fe4c5e40 3744 admin optional dbus_1.14.8-1.dsc
da42f55aeec51b355587bc3062fc2d41 1371236 admin optional dbus_1.14.8.orig.tar.xz
b7f018d28a4b6da21fcdb972b11fe2b1 833 admin optional dbus_1.14.8.orig.tar.xz.asc
166f57d0c2417223adaec4029399381d 62568 admin optional
dbus_1.14.8-1.debian.tar.xz
373a41ecb4f2af4c8dee287834737b5e 7598 admin optional
dbus_1.14.8-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmSFrjsACgkQ4FrhR4+B
TE/uyxAAotW4wK5fkC3XMX8EQrF5phNU2PzqQwnpZU88vBc4CBhP3u+qsoGFyij+
RVGjGPf0Kq1f9SOYsZ2RfjjRNhKWL04KVP+enwWPgUJOypFQTSn2WYsEydZwvbFN
d5k2ZhRzS29sXEbjlrbeBLUNJjglqHI+MzY9jPdm81fct5Btl8XlLWqlwXoqcbNx
XlwjHkwCI/9j/C9bgJw97ZUM3YyoB5jqQVDNat4Oqxadc9FkYfjkHHOEzHZDJRYb
E/otEZlmTSX2uVY/zA+294marQ7KvNd7UVtboSrLGoLoOZe9BPqCUjKKKmqIqgAS
grZlXTaGeQjVQtflj2g7XhZxnet9R0JXKsxoZlstmuhil5fPEl5hbM04L6zroae+
GnDFeLc2cRwPZUhYxlvwr7lEf2fsgUa8KcceleX1lHpk5sqUDXZ2aJdXS6v5bDPn
SAb+K2P0TJ34pzLjpHwKL4g/pNGicBMo+VQLwlZo59yh9JkQ9In5xLnPMoLVYSnN
FL7XdQomvpgFtg5inQRmzg4zm8KuUUy52MubJHIkjVqVqdchu2EjR8ut1v6yRSk0
T6fzJuWwDao4ZA8dQsulHjxiAK+z8RACVezYjBZEIafKmaTqg8utH+eFBT2x/ICK
B4OpAMmld2yXhqqV90WRnLxqBoX+PuMzegUDF4w0mrmjfCKSLpQ=
=HWMZ
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
