Arch Linux 2014-11-28 Medium Severity Dbus Denial Of Service

Arch Linux Security Advisory ASA-201411-28
=========================================
Severity: Medium
Date    : 2014-11-23
CVE-ID  : CVE-2014-7824
Package : dbus
Type    : denial of service
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package dbus before version 1.8.10-1 is vulnerable to denial of
service via file descriptor exhaustion.

Resolution
=========
Upgrade to 1.8.10-1.

# pacman -Syu "dbus>=1.8.10-1"

The problem has been fixed upstream in version 1.8.10.

Workaround
=========
None.

Description
==========
The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on
incorrect reasoning and does not fully prevent the attack described in
the impact section below. Preventing that attack requires raising the
system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value.

Impact
=====
A local attacker is able to queue up the maximum allowed number of file
descriptors to reach the system dbus-daemon's RLIMIT_NOFILE resulting in
a denial of service in two ways:

- new clients would be unable to connect to the dbus-daemon
- when receiving a subsequent message from a non-malicious client that
  contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
  indicating that the list of fds was truncated; kernel fd-passing APIs
  do not provide any way to recover from that, so dbus-daemon responds
  to MSG_CTRUNC by disconnecting the sender, causing denial of service
  to that sender

References
=========
https://www.cve.org/CVERecord?id=CVE-2014-7824
https://www.openwall.com/lists/oss-security/2014/11/10/2