Simon McVittie discovered a local denial of service flaw in dbus, an asynchronous inter-process communication system. On systems with systemd-style service activation, dbus-daemon does not prevent forged ActivationFailure messages from non-root processes. A malicious local user could use this flaw to trick dbus-daemon into thinking that systemd failed to activate a system service, resulting in an error reply back to the requester.

For the stable distribution (wheezy), this problem has been fixed in version 1.6.8-1+deb7u6. For the unstable distribution (sid), this problem has been fixed in version 1.8.16-1. We recommend that you upgrade your dbus packages.

D-Bus is a message bus, used for sending messages between applications. Conceptually, it fits somewhere in between raw sockets and CORBA in terms of complexity.

dbus on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2015/dsa-3161.html

---

Updated on 2015-03-25