dbus -- incomplete fix for CVE-2014-3636 part A

ID C1930F45-6982-11E4-80E1-BCAEC565249C
Type freebsd
Reporter FreeBSD
Modified 2014-11-10T00:00:00


Simon McVittie reports:

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as "CVE-2014-3636 part A", which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. CVE-2014-7824 has been allocated for this vulnerability.