Advisories » MGASA-2014-0457

Updated dbus packages fix security vulnerabilitiy

Publication date: 15 Nov 2014
Modification date: 15 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-7824

Description

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on
incorrect reasoning, and does not fully prevent the attack described as
"CVE-2014-3636 part A", which is repeated below. Preventing that attack
requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to
a higher value.

By queuing up the maximum allowed number of fds, a malicious sender
could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically
1024 on Linux). This would act as a denial of service in two ways:

* new clients would be unable to connect to the dbus-daemon
* when receiving a subsequent message from a non-malicious client that
  contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
  indicating that the list of fds was truncated; kernel fd-passing APIs
  do not provide any way to recover from that, so dbus-daemon responds
  to MSG_CTRUNC by disconnecting the sender, causing denial of service
  to that sender.

This update resolves the issue (CVE-2014-7824).

Also default auth_timeout that was changed from 30s to 5s in MGASA-2014-0395,
and raised to 20s in MGAA-2014-0182 is now changed back to 30s as there
still are reports about failing dbus connections.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14494
• https://advisories.mageia.org/MGAA-2014-0182.html
• http://openwall.com/lists/oss-security/2014/11/10/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7824

SRPMS

3/core

• dbus-1.6.8-4.8.mga3

4/core

• dbus-1.6.18-1.8.mga4