dbus-1-1.10.12-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10517-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z dbus-1-1.10.12-2.1 on GA media These are all security issues fixed in the dbus-1-1.10.12-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10517 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-4352/ SUSE CVE CVE-2010-4352 page https://www.suse.com/security/cve/CVE-2012-3524/ SUSE CVE CVE-2012-3524 page https://www.suse.com/security/cve/CVE-2013-2168/ SUSE CVE CVE-2013-2168 page https://www.suse.com/security/cve/CVE-2014-3477/ SUSE CVE CVE-2014-3477 page https://www.suse.com/security/cve/CVE-2014-3532/ SUSE CVE CVE-2014-3532 page https://www.suse.com/security/cve/CVE-2014-3533/ SUSE CVE CVE-2014-3533 page https://www.suse.com/security/cve/CVE-2014-3635/ SUSE CVE CVE-2014-3635 page https://www.suse.com/security/cve/CVE-2014-3636/ SUSE CVE CVE-2014-3636 page https://www.suse.com/security/cve/CVE-2014-3637/ SUSE CVE CVE-2014-3637 page https://www.suse.com/security/cve/CVE-2014-3638/ SUSE CVE CVE-2014-3638 page https://www.suse.com/security/cve/CVE-2014-3639/ SUSE CVE CVE-2014-3639 page https://www.suse.com/security/cve/CVE-2014-7824/ SUSE CVE CVE-2014-7824 page https://www.suse.com/security/cve/CVE-2014-8148/ SUSE CVE CVE-2014-8148 page https://www.suse.com/security/cve/CVE-2015-0245/ SUSE CVE CVE-2015-0245 page openSUSE Tumbleweed dbus-1-1.10.12-2.1 dbus-1-devel-1.10.12-2.1 dbus-1-devel-32bit-1.10.12-2.1 dbus-1-devel-doc-1.10.12-2.1 dbus-1-x11-1.10.12-2.1 libdbus-1-3-1.10.12-2.1 libdbus-1-3-32bit-1.10.12-2.1 dbus-1-1.10.12-2.1 as a component of openSUSE Tumbleweed dbus-1-devel-1.10.12-2.1 as a component of openSUSE Tumbleweed dbus-1-devel-32bit-1.10.12-2.1 as a component of openSUSE Tumbleweed dbus-1-devel-doc-1.10.12-2.1 as a component of openSUSE Tumbleweed dbus-1-x11-1.10.12-2.1 as a component of openSUSE Tumbleweed libdbus-1-3-1.10.12-2.1 as a component of openSUSE Tumbleweed libdbus-1-3-32bit-1.10.12-2.1 as a component of openSUSE Tumbleweed Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants. CVE-2010-4352 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-4352.html CVE-2010-4352 https://bugzilla.suse.com/659934 SUSE Bug 659934 libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus." CVE-2012-3524 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3524.html CVE-2012-3524 https://bugzilla.suse.com/697105 SUSE Bug 697105 https://bugzilla.suse.com/852781 SUSE Bug 852781 https://bugzilla.suse.com/912016 SUSE Bug 912016 The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message. CVE-2013-2168 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2168.html CVE-2013-2168 https://bugzilla.suse.com/824607 SUSE Bug 824607 The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. CVE-2014-3477 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3477.html CVE-2014-3477 https://bugzilla.suse.com/1010769 SUSE Bug 1010769 https://bugzilla.suse.com/881137 SUSE Bug 881137 dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded. CVE-2014-3532 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3532.html CVE-2014-3532 https://bugzilla.suse.com/885241 SUSE Bug 885241 dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. CVE-2014-3533 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3533.html CVE-2014-3533 https://bugzilla.suse.com/885241 SUSE Bug 885241 Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure. CVE-2014-3635 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3635.html CVE-2014-3635 https://bugzilla.suse.com/896453 SUSE Bug 896453 D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call. CVE-2014-3636 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3636.html CVE-2014-3636 https://bugzilla.suse.com/896453 SUSE Bug 896453 https://bugzilla.suse.com/904017 SUSE Bug 904017 D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor. CVE-2014-3637 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3637.html CVE-2014-3637 https://bugzilla.suse.com/896453 SUSE Bug 896453 The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls. CVE-2014-3638 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3638.html CVE-2014-3638 https://bugzilla.suse.com/896453 SUSE Bug 896453 https://bugzilla.suse.com/903055 SUSE Bug 903055 https://bugzilla.suse.com/903057 SUSE Bug 903057 The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections. CVE-2014-3639 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3639.html CVE-2014-3639 https://bugzilla.suse.com/896453 SUSE Bug 896453 https://bugzilla.suse.com/903055 SUSE Bug 903055 https://bugzilla.suse.com/903057 SUSE Bug 903057 D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1. CVE-2014-7824 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7824.html CVE-2014-7824 https://bugzilla.suse.com/904017 SUSE Bug 904017 The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges. CVE-2014-8148 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8148.html CVE-2014-8148 https://bugzilla.suse.com/912023 SUSE Bug 912023 D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds. CVE-2015-0245 openSUSE Tumbleweed:dbus-1-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-32bit-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-devel-doc-1.10.12-2.1 openSUSE Tumbleweed:dbus-1-x11-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-1.10.12-2.1 openSUSE Tumbleweed:libdbus-1-3-32bit-1.10.12-2.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-0245.html CVE-2015-0245 https://bugzilla.suse.com/1003898 SUSE Bug 1003898 https://bugzilla.suse.com/916343 SUSE Bug 916343