Descriptionlibdbus 1.5.x and earlier, when used in setuid or other privileged programs in and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: local)
Debian Bugs689070

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dbus (PTS)jessie1.8.22-0+deb8u1fixed
buster, sid1.12.10-1fixed
glib2.0 (PTS)jessie2.42.1-1fixed
buster, sid2.58.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glib2.0sourcesqueeze(not affected)


[squeeze] - glib2.0 <not-affected> (Vulnerable code not present)
fixed in 2.34.0-1 from experimental

Search for package or bug name: Reporting problems