Upstream has issued an advisory today (February 9): http://openwall.com/lists/oss-security/2015/02/09/6 The issue is fixed upstream in 1.8.16 and 1.6.30. Upstream commits to fix the issue are also linked in the message above. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Blocks: (none) => 14674
1.8.16 pushed to Cauldron. patched packages uploaded to mga4: SRPMS: dbus-1.6.18-1.10.mga4.src.rpm i586: dbus-1.6.18-1.10.mga4.i586.rpm dbus-doc-1.6.18-1.10.mga4.noarch.rpm dbus-x11-1.6.18-1.10.mga4.i586.rpm libdbus1_3-1.6.18-1.10.mga4.i586.rpm libdbus-devel-1.6.18-1.10.mga4.i586.rpm x86_64: dbus-1.6.18-1.10.mga4.x86_64.rpm dbus-doc-1.6.18-1.10.mga4.noarch.rpm dbus-x11-1.6.18-1.10.mga4.x86_64.rpm lib64dbus1_3-1.6.18-1.10.mga4.x86_64.rpm lib64dbus-devel-1.6.18-1.10.mga4.x86_64.rpm
CC: (none) => tmbHardware: i586 => AllVersion: Cauldron => 4Blocks: 14674 => (none)Assignee: tmb => qa-bugsWhiteboard: MGA4TOO => (none)
Advisory: non-systemd processes can make dbus-daemon think systemd failed to activate a system service, resulting in an error reply back to the requester, causing a local denial of service (CVE-2015-0245) References: http://openwall.com/lists/oss-security/2015/02/09/6 https://bugs.freedesktop.org/show_bug.cgi?id=88811
Thanks Thomas! Nice concise advisory. I would use this for the references (includes the CVE and the upstream URLs for the mailing list announcements): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245 http://lists.freedesktop.org/archives/dbus/2015-February/016553.html http://lists.freedesktop.org/archives/dbus/2015-February/016555.html
MGA4-64 on HP Probook 6555b. No installation issues. Rebooted the PC, startup time seems normal, no delays in starting applications.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
System working fine for me on Mageia 4 i586. No noticeable issues or anything out of sorts in systemctl or journalctl. Observed normal behavior of dbus starting UDisks2 and powerdevil.backlighthelper in the journal.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Debian has issued an advisory for this on February 11: https://www.debian.org/security/2015/dsa-3161
URL: (none) => http://lwn.net/Vulnerabilities/633086/
Testing dbus-1.6.18-1.10.mga4 on Mageia4x64 real hardware (intel core i3, nvidia gtx750) with testing kernel-3.14.32-1.mga4 and glibc-2.18-9.9.mga4 Dmesg OK, nothing special in journalctl or systemctl. Display OK (Nvidia 331.113, screen 1920*1080) Network, web browser OK Play audio and video file OK USB OK
CC: (none) => olchal
Performed two installations one x86_64 and one i586 with kernel, 3 x nvidia, fglrx, broadcom-wl, vbox, xtables-addons and also glibc, dbus, x11 and cups at the same time. All Ok
Advisory uploaded with srpm from comment 1, text from comment 2 and references from comment 3.
Whiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OK
Testing on Mageia4x32 real hardware (intel core i3, 8 Series/C220 Series Chipset, nvidia GTX750) dbus-1.6.18-1.10.mga4.i586 with latest kernel-desktop, glibc and x11-server OK
Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0071.html
Status: NEW => RESOLVEDResolution: (none) => FIXED