CVE-2023-34969

NameCVE-2023-34969
DescriptionD-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3628-1
Debian Bugs1037151

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dbus (PTS)bullseye1.12.28-0+deb11u1fixed
bullseye (security)1.12.24-0+deb11u1vulnerable
bookworm1.14.10-1~deb12u1fixed
sid, trixie1.14.10-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbussourceexperimental1.15.6-1
dbussourcebuster1.12.28-0+deb10u1DLA-3628-1
dbussourcebullseye1.12.28-0+deb11u1
dbussourcebookworm1.14.8-1~deb12u1
dbussource(unstable)1.14.8-11037151

Notes

https://gitlab.freedesktop.org/dbus/dbus/-/issues/457
Search for package or bug name: Reporting problems