rpm package
opensuse/dbus-1&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/dbus-1&distro=openSUSE%20Tumbleweed
Vulnerabilities (21)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-34969 | — | < 1.14.8-1.1 | 1.14.8-1.1 | Jun 8, 2023 | D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the | ||
| CVE-2020-12049 | — | < 1.12.20-5.5 | 1.12.20-5.5 | Jun 8, 2020 | An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's privat | ||
| CVE-2019-12749 | — | < 1.12.20-5.5 | 1.12.20-5.5 | Jun 11, 2019 | dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_ | ||
| CVE-2015-0245 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Feb 13, 2015 | D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving send | ||
| CVE-2014-8148 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Jan 26, 2015 | The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges. | ||
| CVE-2014-7824 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Nov 18, 2014 | D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of | ||
| CVE-2014-3636 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Oct 25, 2014 | D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple mess | ||
| CVE-2014-3639 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Sep 22, 2014 | The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections. | ||
| CVE-2014-3638 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Sep 22, 2014 | The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls. | ||
| CVE-2014-3637 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Sep 22, 2014 | D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor. | ||
| CVE-2014-3635 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Sep 22, 2014 | Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code b | ||
| CVE-2014-3533 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Jul 19, 2014 | dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. | ||
| CVE-2014-3532 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Jul 19, 2014 | dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recu | ||
| CVE-2014-3477 | Med | 4.0 | < 1.10.12-2.1 | 1.10.12-2.1 | Jul 1, 2014 | The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initializatio | |
| CVE-2013-2168 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Jul 3, 2013 | The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message. | ||
| CVE-2012-3524 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Sep 18, 2012 | libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a | ||
| CVE-2010-4352 | — | < 1.10.12-2.1 | 1.10.12-2.1 | Dec 30, 2010 | Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants. | ||
| CVE-2008-4311 | — | < 1.12.20-5.5 | 1.12.20-5.5 | Dec 10, 2008 | The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, | ||
| CVE-2008-3834 | — | < 1.12.20-5.5 | 1.12.20-5.5 | Oct 7, 2008 | The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. | ||
| CVE-2008-0595 | — | < 1.12.20-5.5 | 1.12.20-5.5 | Feb 29, 2008 | dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interfa |
- CVE-2023-34969Jun 8, 2023affected < 1.14.8-1.1fixed 1.14.8-1.1
D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the
- CVE-2020-12049Jun 8, 2020affected < 1.12.20-5.5fixed 1.12.20-5.5
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's privat
- CVE-2019-12749Jun 11, 2019affected < 1.12.20-5.5fixed 1.12.20-5.5
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_
- CVE-2015-0245Feb 13, 2015affected < 1.10.12-2.1fixed 1.10.12-2.1
D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving send
- CVE-2014-8148Jan 26, 2015affected < 1.10.12-2.1fixed 1.10.12-2.1
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.
- CVE-2014-7824Nov 18, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of
- CVE-2014-3636Oct 25, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple mess
- CVE-2014-3639Sep 22, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.
- CVE-2014-3638Sep 22, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
- CVE-2014-3637Sep 22, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.
- CVE-2014-3635Sep 22, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code b
- CVE-2014-3533Jul 19, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.
- CVE-2014-3532Jul 19, 2014affected < 1.10.12-2.1fixed 1.10.12-2.1
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recu
- affected < 1.10.12-2.1fixed 1.10.12-2.1
The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initializatio
- CVE-2013-2168Jul 3, 2013affected < 1.10.12-2.1fixed 1.10.12-2.1
The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message.
- CVE-2012-3524Sep 18, 2012affected < 1.10.12-2.1fixed 1.10.12-2.1
libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a
- CVE-2010-4352Dec 30, 2010affected < 1.10.12-2.1fixed 1.10.12-2.1
Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants.
- CVE-2008-4311Dec 10, 2008affected < 1.12.20-5.5fixed 1.12.20-5.5
The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages,
- CVE-2008-3834Oct 7, 2008affected < 1.12.20-5.5fixed 1.12.20-5.5
The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
- CVE-2008-0595Feb 29, 2008affected < 1.12.20-5.5fixed 1.12.20-5.5
dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interfa
Page 1 of 2