SB2014122310 - Fedora EPEL 7 update for mingw-dbus
Published: December 23, 2014 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2014-3533)
The vulnerability allows a local non-authenticated attacker to perform service disruption.
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.
2) Input validation error (CVE-ID: CVE-2014-3532)
The vulnerability allows a local non-authenticated attacker to perform service disruption.
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.
3) Input validation error (CVE-ID: CVE-2014-3477)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.
4) Resource management error (CVE-ID: CVE-2014-3638)
The vulnerability allows a local non-authenticated attacker to perform service disruption.
The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
5) Input validation error (CVE-ID: CVE-2014-3639)
The vulnerability allows local users to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.
6) Resource management error (CVE-ID: CVE-2014-3636)
The vulnerability allows a local non-authenticated attacker to perform service disruption.
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.
7) Input validation error (CVE-ID: CVE-2014-3637)
The vulnerability allows local users to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.
8) Buffer overflow (CVE-ID: CVE-2014-3635)
The vulnerability allows a local non-authenticated attacker to read and manipulate data.
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.
9) Resource management error (CVE-ID: CVE-2014-7824)
The vulnerability allows a local non-authenticated attacker to perform service disruption.
D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
Remediation
Install update from vendor's website.