FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dbus -- incomplete fix for CVE-2014-3636 part A

Affected packages
dbus < 1.8.10

Details

VuXML ID c1930f45-6982-11e4-80e1-bcaec565249c
Discovery 2014-11-10
Entry 2014-11-11

Simon McVittie reports:

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as "CVE-2014-3636 part A", which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value. CVE-2014-7824 has been allocated for this vulnerability.

References

CVE Name CVE-2014-7824
URL http://lists.freedesktop.org/archives/dbus/2014-November/016395.html