Arch Linux: ASA-201502-10 Medium Severity: Dbus Denial Of Service

Arch Linux Security Advisory ASA-201502-10
=========================================
Severity: Medium
Date    : 2015-02-10
CVE-ID  : CVE-2015-0245
Package : dbus
Type    : denial of service
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package dbus before version 1.8.16-1 is vulnerable to denial of service.

Resolution
=========
Upgrade to 1.8.16-1.

# pacman -Syu "dbus>=1.8.16-1"

The problem has been fixed upstream in version 1.8.16.

Workaround
=========
None.

Description
==========
Systemd sends back an ActivationFailure D-Bus signal if the activation
fails. However, when it receives these signals, dbus-daemon does not
verify that the signal actually came from systemd. A malicious local
user could send repeated ActivationFailure signals in the hope that it
would "win the race" with the genuine signal, causing D-Bus to send back
an error to the client that requested activation.

Impact
=====
A local attacker could send repeated ActivationFailure signals, causing
D-Bus to potentially send back an error to the client that requested
activation resulting in denial of service.

References
=========
https://lists.freedesktop.org/archives/dbus/2015-February/016553.html
https://www.cve.org/CVERecord?id=CVE-2015-0245