Bug#1037151: dbus: denial of service when a monitor is active and a message from the driver cannot be delivered
Hi Simon, On Tue, Jun 06, 2023 at 02:36:01PM +0100, Simon McVittie wrote: > Package: dbus > Version: 1.15.4-1 > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team > Control: found -1 1.14.6-1 > Control: found -1 1.12.24-0+deb11u1 > > If a privileged user with control over the dbus-daemon is using the > org.freedesktop.DBus.Monitoring interface to monitor message bus > traffic, then an unprivileged user with the ability to connect to the > same dbus-daemon can cause a dbus-daemon crash under some circumstances. > > When done on the well-known system bus, this is a denial-of-service > vulnerability. Unfortunately, the upstream bug reporter already made > this public information. I'm in the process of releasing dbus 1.15.6, > 1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID, > but I have not received one yet. > > Mitigation: This can only be done if a monitoring process such > as dbus-monitor or busctl monitor is active on the same dbus-daemon > instance, which is a privileged operation that can only be done by root > or the Unix uid of the message bus. If no monitoring process is active, > then the vulnerable code is not reached. > > My guess is that the security team will not want to release DSAs for this > local denial of service, and it's more appropriate to fix in bookworm > and bullseye via their next point releases. Is that assumption correct? Yes that sounds fine to do in point release. Regards, Salvatore
Bug#1037151: dbus: denial of service when a monitor is active and a message from the driver cannot be delivered
Package: dbus Version: 1.15.4-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team Control: found -1 1.14.6-1 Control: found -1 1.12.24-0+deb11u1 If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances. When done on the well-known system bus, this is a denial-of-service vulnerability. Unfortunately, the upstream bug reporter already made this public information. I'm in the process of releasing dbus 1.15.6, 1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID, but I have not received one yet. Mitigation: This can only be done if a monitoring process such as dbus-monitor or busctl monitor is active on the same dbus-daemon instance, which is a privileged operation that can only be done by root or the Unix uid of the message bus. If no monitoring process is active, then the vulnerable code is not reached. My guess is that the security team will not want to release DSAs for this local denial of service, and it's more appropriate to fix in bookworm and bullseye via their next point releases. Is that assumption correct? Thanks, smcv