Operating System:

[WIN][UNIX/Linux][Debian]

Published:

17 September 2014

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2014.1600 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1600
                           dbus security update
                             17 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dbus
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3639 CVE-2014-3638 CVE-2014-3637
                   CVE-2014-3636 CVE-2014-3635 

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3026

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running dbus check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3026-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
September 16, 2014                     http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : dbus
CVE ID         : CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 
                 CVE-2014-3639

Alban Crequy and Simon McVittie discovered several vulnerabilities in
the D-Bus message daemon.

CVE-2014-3635

    On 64-bit platforms, file descriptor passing could be abused by
    local users to cause heap corruption in the dbus-daemon crash,
    leading to a crash, or potentially to arbitrary code execution.

CVE-2014-3636

    A denial-of-service vulnerability in dbus-daemon allowed local
    attackers to prevent new connections to dbus-daemon, or disconnect
    existing clients, by exhausting descriptor limits.

CVE-2014-3637

    Malicious local users could create D-Bus connections to
    dbus-daemon which could not be terminated by killing the
    participating processes, resulting in a denial-of-service
    vulnerability.

CVE-2014-3638

    dbus-daemon suffered from a denial-of-service vulnerability in the
    code which tracks which messages expect a reply, allowing local
    attackers to reduce the performance of dbus-daemon.

CVE-2014-3639

    dbus-daemon did not properly reject malicious connections from
    local users, resulting in a denial-of-service vulnerability.

For the stable distribution (wheezy), these problems have been fixed in
version 1.6.8-1+deb7u4.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.8-1.

We recommend that you upgrade your dbus packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJUGIrzAAoJEL97/wQC1SS+bgAH/2v7suJ3q6QQ9r8dpK3wlYtC
n6DrrqHvzECB0oEro51cvkHY9cl8HSYlKZoRXdbluEaHGCu+8f/IZ0aQIC2hkz1e
Cqh62l4Gzo+CZRmnDk4oTi2PcqnEXkIJgOo7pEDT4C9+4c5sF+vbLkAJ+x4VoRbf
eneYNgwIPGh8pyvw9VrMzTJAE81j5fZC5g6jxFfQCCOfo6IZlxKhn+d5XCElDz1f
yO4oeczxOkH0oHUo0Jo6Kd2RllbTbO9F+f2PVTOPRAvr1yqEj1zRtll0kA2vXZ0p
13pcZd3F/AWYDF8O5slOPZulx8GmVDETir2Jd8bPCduv7C4DPN9x8MA2IoYV668=
=Cvxc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVBjTTRLndAQH1ShLAQLMmQ/9FVgEff+hqPjUIt7hfFK8QDpbPk8193sX
UFqjuh1awMjgDRMNZtL0BoRE5I07N6Hnv3Y5x80fmvSGRVmuFvmw6LJVA+RUIVPA
tDdh4GtT6hjD6RcWIr0lDMD7nyd/si1PH2MqklkOunxpcmBAzmLzi4lGbOBcH825
HEh0WcA9yE1zLzIk9iL6PIZp3/IgO/us9bh5gnaKaVlNW3m/jS68Xy62wI2nER2s
WX+q+sERaKi8lpA8LkCwXiAvHg2RoiiKmBTqFm2gRhuyKOPYVV6fxFtg2sHNsTpX
UsQYRFDwabMp528BfOhDz4QXcm27KY2WghpJFxO3Ek8zHdYPO+ZnZrkFvNsPW5UN
GX5WaU0Jktuatf6btyONHlmWYtkZVG7sapV0L8W8IlaZX4GYsGIt9h4Zy6QlqfPO
D1u8f+zcfk0YfV9a/IhDVbFwt4yTLL9jj5jtOM/UxBXbnPEMEoGSjwxz4LQWTkN0
rBzRmA+LXOUtwnLaKj2xCD6ArTwHBIgK13M/9rJukGc6JDQQOzWbdBv7Zy5XvXeC
qAxFRe2wxiG+GgpR6pvL1+NrzLdBM21wWpS5iw1u6n6HKXIbEje/nIWHUSEZgskM
LihD9o2zrVbEzKz6lBjBKPUfWgzROw+qGv4er9Wss4AXlTgNsGjkfFLi2JQrApNm
Hwr2A3pk91M=
=x/A6
-----END PGP SIGNATURE-----