24 matches found
CVE-2019-12749
dbus vulnerability CVE-2019-12749 arises from symlink mishandling in the DBUS_COOKIE_SHA1 authentication path. A local attacker with write access to their home directory could abuse a ~/.dbus-keyrings symlink to coax a DBusServer of a different uid to read/write in unintended locations, enabling ...
CVE-2020-12049
The CVE-2020-12049 issue affects dbus (libdbus/ dbus-daemon) where the DBusServer leaks file descriptors when a message exceeds the per-message limit, enabling a local attacker with access to the D-Bus system bus to exhaust fds and cause DoS. Affected versions are dbus >= 1.3.0 and
CVE-2020-35512
CVE-2020-35512 is a use-after-free in D-Bus (multiple branches) that can crash or cause undefined behavior when usernames share a UID. IBM advisories reference this CVE across Cloud Pak for Business Automation, noting fixes via iFixes or upgrades (e.g., 24.0.1-IF004, 24.0.0-IF005, or 25.0.0-IF001...
CVE-2022-42010
The CVE-2022-42010 issue affects D-Bus and can crash dbus-daemon and other libdbus-using programs when handling certain invalid type signatures. Affected series include D-Bus releases prior to 1.12.24, 1.13.x and 1.14.x prior to 1.14.4, and 1.15.x prior to 1.15.2. The problem is triggered by auth...
CVE-2022-42012
CVE-2022-42012 affects D-Bus and libdbus prior to updates that fix the crash: an authenticated attacker can crash dbus-daemon and berkeley programs using libdbus by sending a message with attached file descriptors in an unexpected format. This issue impacts D-Bus versions before 1.14.4 and 1.15.x...
CVE-2022-42011
Summary: CVE-2022-42011 affects D-Bus before 1.12.24, 1.13.x, 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can crash dbus-daemon and other libdbus-using programs by processing a message where the array length is inconsistent with the element type. The issue is categor...
CVE-2023-34969
CVE-2023-34969 affects the dbus package. D-Bus before 1.15.6 may allow an unprivileged user to crash dbus-daemon when a privileged user uses org.freedesktop.DBus.Monitoring to observe traffic; on the system bus this yields a denial-of-service. Affected versions are before 1.15.6; fixed in 1.12.28...
CVE-2014-3636
CVE-2014-3636 affects D-Bus 1.3.0–1.6.x before 1.6.24 and 1.8.x before 1.8.8. Local attackers can cause a denial of service by (1) queuing the maximum number of file descriptors to prevent new connections and drop existing ones, or (2) triggering a disconnect via multiple messages that exceed the...
CVE-2014-7824
CVE-2014-7824 affects D-Bus: vulnerable versions are D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2. The issue allows local users to cause a denial of service by queuing the maximum number of file descriptors, due to an incomplete fix for CVE-2014-3636. Affec...
CVE-2015-0245
CVE-2015-0245 affects D-Bus where ActivationFailure signals could be forged by non-root processes due to improper validation of the signal source, enabling a local Denial of Service. The issue spans D-Bus 1.4.x–1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10. Reports in connecte...
CVE-2014-3477
CVE-2014-3477 affects the D-Bus dbus-daemon. Local attackers can trigger a DoS (initialization failure/exit) or potentially a side‑channel attack by sending a D-Bus message to an inactive service. Affected are D-Bus/dbus-daemon versions: 1.2.x–1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4. M...
CVE-2008-0595
CVE-2008-0595 affects dbus-daemon in D-Bus prior to 1.0.3 and in 1.1.x prior to 1.1.20, where send_interface attributes in security policy are recognized only for fully qualified method calls. This allows a local user to bypass intended access restrictions by making a method call with a NULL inte...
CVE-2014-3638
CVE-2014-3638 affects D-Bus: the bus_connections_check_reply function in config-parser.c allows a local user to cause a denial of service (CPU usage) by issuing a large number of method calls. Affected are D-Bus versions older than 1.6.24 and older than 1.8.8 in the 1.8.x line. Impact is limited ...
CVE-2014-3533
CVE-2014-3533 affects the D-Bus project (dbus) components where dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allow local users to cause a denial of service by sending a crafted sequence that leads the dbus-daemon to forward a message containing an invalid file descriptor. The impact is a local...
CVE-2014-3639
CVE-2014-3639 affects dbus-daemon in D-Bus prior to 1.6.24 and 1.8.x prior to 1.8.8. The vulnerability allows local attackers to cause a denial of service through incomplete connection handling (large number of incomplete connections). Public details in connected Nessus advisories confirm the iss...
CVE-2008-3834
Summary (CVE-2008-3834) In D-Bus libdbus prior to 1.2.4, the function dbus_signature_validate may trigger a failed assertion on a malformed signature, leading to a Denial of Service (application abort). Public advisories confirm the issue and reference a fix in version 1.2.4 or newer; multiple ve...
CVE-2014-3532
dbus CVE-2014-3532 affects dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 when run on Linux 2.6.37-rc4 or later. The flaw lets local attackers cause a denial of service by sending a message containing a file descriptor and then exceeding the maximum recursion depth before the initial message is ...
CVE-2014-3635
CVE-2014-3635 is an off-by-one vulnerability in D-Bus affecting 64-bit systems when max_message_unix_fds is odd, allowing local users to crash dbus-daemon or potentially execute code by sending one more file descriptor than the limit. It affects D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x b...
CVE-2011-2200
CVE-2011-2200 affects D-Bus releases prior to: 1.2.28 (1.2.x), 1.4.12 (1.4.x), and 1.5.4 (1.5.x). The vulnerability lies in the _dbus_header_byteswap function in dbus-marshal-header.c, which mishandles a non-native byte order, enabling local users to cause denial of service (connection loss), dis...
CVE-2013-2168
CVE-2013-2168 affects D-Bus (DBus) where the _dbus_printf_string_upper_bound function in dbus-sysdeps-unix.c can crash the service. A crafted message can cause a local denial of service (service crash). The advisory covers DBus 1.4.x < 1.4.26, 1.6.x < 1.6.12, and 1.7.x
CVE-2014-3637
CVE-2014-3637 affects D-Bus: versions 1.3.0–1.6.x before 1.6.24 and 1.8.x before 1.8.8 do not properly close connections for terminated processes, enabling local users to cause a denial of service via a D-Bus connection file descriptor. Publicly referenced documents (Nessus/OpenVAS plugins for va...
CVE-2009-1189
The vulnerability CVE-2009-1189 affects the D-Bus library (libdbus) in versions before 1.2.14, due to incorrect logic in _dbus_validate_signature_with_reason (dbus-marshal-validate.c). This flaw allows remote attackers to spoof a signature via a crafted key. The issue stems from an incomplete fix...
CVE-2008-4311
The CVE-2008-4311 issue affects D‑Bus (dbus) before 1.2.6 where the default system.conf rule set omits the send_type attribute. This can allow local users to bypass access controls by manipulating send_requested_reply (and potentially receive_requested_reply), enabling unauthorized message sendin...
CVE-2011-2533
CVE-2011-2533 concerns D-Bus (DBus) 1.2.x prior to 1.2.28. The vulnerability arises in the configure script, enabling local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/. The issue is a local privilege/overwrite risk, with the documented impact of arbitra...