CVE-2019-15718

NameCVE-2019-15718
DescriptionIn systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs939353

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
systemd (PTS)jessie215-17+deb8u7fixed
jessie (security)215-17+deb8u13fixed
stretch232-25+deb9u12fixed
stretch (security)232-25+deb9u11fixed
buster241-7~deb10u2fixed
bullseye243-5fixed
sid243-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
systemdsource(unstable)242-7939353
systemdsourcebuster241-7~deb10u2
systemdsourcejessie(not affected)
systemdsourcestretch(not affected)

Notes

[stretch] - systemd <not-affected> (Vulnerable code introduced later)
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2019/09/03/1
https://github.com/systemd/systemd/pull/13457
https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd

Search for package or bug name: Reporting problems