Changes between Initial Version and Version 1 of Ticket #3993


Ignore:
Timestamp:
10/13/2016 01:58:09 AM (8 years ago)
Author:
Samuel
Comment:

It has come to my attention through the BLFS ticket #8424 that there is a security flaw in the versions before.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #3993

    • Property Priority normalhigh
    • Property Type taskenhancement

  • Ticket #3993 – Description

    initial v1  
    11New point version. 
     2
     3{{{
     4Security fixes:
     5
     6• Do not treat ActivationFailure message received from root-owned
     7  systemd name as a format string. In principle this is a security
     8  vulnerability, but we do not believe it is exploitable in practice,
     9  because only privileged processes can own the
     10  org.freedesktop.systemd1 bus name, and systemd does not appear to
     11  send activation failures that contain "%".
     12
     13  Please note that this probably *was* exploitable in dbus versions
     14  older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
     15  the time was only thought to be a denial of service vulnerability
     16  (CVE-2015-0245). If you are still running one of those versions,
     17  patch or upgrade immediately.
     18
     19  (fd.o #98157, Simon McVittie)
     20}}}