Buffer overflow in Freedesktop dbus
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-3635 |
| CWE-ID | CWE-119 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
dbus Universal components / Libraries / Libraries used by multiple products |
| Vendor | Freedesktop.org |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU32482
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-3635
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to read and manipulate data.
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.
MitigationInstall update from vendor's website.
Vulnerable software versionsdbus: 1.6.0 - 1.6.22
CPE2.3- cpe:2.3:a:freedesktop_org:dbus:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.14:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.16:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop_org:dbus:1.6.18:*:*:*:*:*:*:*
https://advisories.mageia.org/MGASA-2014-0395.html
https://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html
https://secunia.com/advisories/61378
https://www.debian.org/security/2014/dsa-3026
https://www.mandriva.com/security/advisories?name=MDVSA-2015:176
https://www.openwall.com/lists/oss-security/2014/09/16/9
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.securitytracker.com/id/1030864
https://www.ubuntu.com/usn/USN-2352-1
https://bugs.freedesktop.org/show_bug.cgi?id=83622
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
