Updated dbus packages fix security vulnerabilitiy
Publication date: 15 Nov 2014Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-7824
Description
The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as "CVE-2014-3636 part A", which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. By queuing up the maximum allowed number of fds, a malicious sender could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically 1024 on Linux). This would act as a denial of service in two ways: * new clients would be unable to connect to the dbus-daemon * when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSG_CTRUNC by disconnecting the sender, causing denial of service to that sender. This update resolves the issue (CVE-2014-7824). Also default auth_timeout that was changed from 30s to 5s in MGASA-2014-0395, and raised to 20s in MGAA-2014-0182 is now changed back to 30s as there still are reports about failing dbus connections.
References
SRPMS
3/core
- dbus-1.6.8-4.8.mga3
4/core
- dbus-1.6.18-1.8.mga4