Bug 35124 – dbus: Denial of service (ES 3.2)

Bug 35124 - dbus: Denial of service (ES 3.2)


Summary:	dbus: Denial of service (ES 3.2)

Status:	CLOSED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P4 normal (vote)
Target Milestone:	UCS 3.2-x-errata
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:	42899
Blocks:
	Show dependency tree / graph

Reported:	2014-06-16 11:22 CEST by Moritz Muehlenhoff
Modified:	2019-04-11 19:24 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:	8.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-06-16 11:22:23 CEST

dbus failed to restrict some message parsing between Dbus clients (CVE-2014-3477)

Comment 1 Moritz Muehlenhoff

2014-07-03 07:51:34 CEST

Two additional denial of service vulneraboilities in file descriptor passing (CVE-2014-3532, CVE-2014-3533)

Comment 2 Moritz Muehlenhoff

2014-07-11 08:34:02 CEST

(In reply to Moritz Muehlenhoff from comment #1)
> Two additional denial of service vulneraboilities in file descriptor passing
> (CVE-2014-3532, CVE-2014-3533)

CVE-2014-3533 doesn't affect the version from UCS 3.2.x

Comment 3 Moritz Muehlenhoff

2014-10-02 13:30:03 CEST

Several further local Dbus DoS: CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 CVE-2014-3639

Comment 4 Moritz Muehlenhoff

2014-11-20 13:17:05 CET

(In reply to Moritz Muehlenhoff from comment #3)
> Several further local Dbus DoS: CVE-2014-3635 CVE-2014-3636 CVE-2014-3637
> CVE-2014-3638 CVE-2014-3639

CVE-2014-3637, CVE-2014-3636 and CVE-2014-3635 don't affect UCS 3.2; the affected feature was introduced later.

Comment 5 Moritz Muehlenhoff

2014-11-20 13:17:53 CET

CVE-2014-7824 also doesn't affect UCS 3.2; the affected code was introduced later.

Comment 6 Arvid Requate

2016-11-08 20:05:41 CET

Upstream Debian (Wheezy) package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u13 fixes this issue:

* named in ISC BIND 9.x before 9.9.9-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864)

Comment 7 Stefan Gohmann

2017-06-16 20:38:58 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.