Your message dated Sat, 24 Jun 2023 19:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1037151: fixed in dbus 1.14.8-1~deb12u1
has caused the Debian Bug report #1037151,
regarding dbus: CVE-2023-34969: denial of service when a monitor is active and
a message from the driver cannot be delivered
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037151
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dbus
Version: 1.15.4-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: found -1 1.14.6-1
Control: found -1 1.12.24-0+deb11u1
If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus
traffic, then an unprivileged user with the ability to connect to the
same dbus-daemon can cause a dbus-daemon crash under some circumstances.
When done on the well-known system bus, this is a denial-of-service
vulnerability. Unfortunately, the upstream bug reporter already made
this public information. I'm in the process of releasing dbus 1.15.6,
1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
but I have not received one yet.
Mitigation: This can only be done if a monitoring process such
as dbus-monitor or busctl monitor is active on the same dbus-daemon
instance, which is a privileged operation that can only be done by root
or the Unix uid of the message bus. If no monitoring process is active,
then the vulnerable code is not reached.
My guess is that the security team will not want to release DSAs for this
local denial of service, and it's more appropriate to fix in bookworm
and bullseye via their next point releases. Is that assumption correct?
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.14.8-1~deb12u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Jun 2023 12:42:56 +0100
Source: dbus
Architecture: source
Version: 1.14.8-1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1033056 1037151
Changes:
dbus (1.14.8-1~deb12u1) bookworm; urgency=medium
.
* Rebuild for bookworm
* d/gbp.conf: Use debian/bookworm branch
* d/watch: Only watch for 1.14.x releases
.
dbus (1.14.8-1) unstable; urgency=medium
.
[ Simon McVittie ]
* New upstream stable release
- Fixes a denial of service issue if the root or messagebus user is
monitoring messages on the system bus with the Monitoring interface
(dbus-monitor, busctl monitor, gdbus monitor or similar)
(Closes: #1037151)
.
[ Helmut Grohne ]
* Mark dbus-daemon and dbus-bin Multi-Arch: foreign (Closes: #1033056)
Checksums-Sha1:
fc6906068c21efa71ed7d7cdedc424b8097fd7ba 3784 dbus_1.14.8-1~deb12u1.dsc
d7f02e667c17f9e6428b8fb44e6b8e182d3a1ca4 62604
dbus_1.14.8-1~deb12u1.debian.tar.xz
e05332ee2468c295b9a594b03babb75bc62bb689 7630
dbus_1.14.8-1~deb12u1_source.buildinfo
Checksums-Sha256:
fa87a99dd5b515fb268e6bbc3ff5ecbaa5ce57dd92b8729ff76eb1f49bd02ea3 3784
dbus_1.14.8-1~deb12u1.dsc
812134a5ea56979653a9ff2d5534b2a401887486b4bbbd0ef04aa50df7636e2a 62604
dbus_1.14.8-1~deb12u1.debian.tar.xz
e1da7776d9d04562d524dcf70016fd8994f5f60a2f8e1a8d8dff992aae342676 7630
dbus_1.14.8-1~deb12u1_source.buildinfo
Files:
9e92af6baed7061e65e3c27c48894ace 3784 admin optional dbus_1.14.8-1~deb12u1.dsc
13228eb248b35084c44752879413a035 62604 admin optional
dbus_1.14.8-1~deb12u1.debian.tar.xz
a146608af6b960d44d91fc2011ce873c 7630 admin optional
dbus_1.14.8-1~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmSNurkACgkQ4FrhR4+B
TE9W2g//Rk5U/NFu9wVFeX5ZqndoxgWKts2dOMwEcUG1oYRmHG/TAefVN0VyrQpg
ws6tQ0/HbFi9lcsnl+mGJU2CtfhiEy8VbrrE3q9mZHjbl0ok2c9Hw8v/RPj7+5EE
MFe5oXPimA8fj1PAWX5XdbBZ/oKH0hMD+BhStXOK1dbRpZZdwdGlfqFhFBpYxhtU
VW4t/dlDgyLOX8iHW+LUOsG11FnClreT+38+5T7jEcAjJhpRmfWP+EkmekqUrZOk
3yqWxL70DhH3Q4k5z66FC3+a4uYRs3GZyxQr7nBOwTLS+5kHQkYhAGyy4pwdxyDZ
JnRCOItjqiOKieg8KLqiaZmnil91YQkIQIxJYIRQpSJeUU69f1VLIqgQCiffHoEe
YwK4+mH6S72U07Q79JLWieErGIElfRp78pJ4Yp2zrNbchPGC9Ktla78D11RmrUyp
EnoNw9zMWuKgwbK0/haGwdGa7PTmBUPsHyZTRAhRqc/7HkDWCYq/EUNz4h1c+U6E
Ub00Op9QfEAeaJYAzVt4UVAdqiFsg46wlr+Ju7QisRvrC7i0soDhx/CriWCa3OFf
w2vYTbrUsI2HRPbmB83Dz1trKxmjNcKPvzTSfzM2eCAQK5d2nCaYrgf7RjSdqT87
segrcT/Z3RuCbo2BZxjlyScBTMrFWwjuDYEI6i2qN94zuWcah34=
=+tmj
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
