TEMP-0000000-4DA0A8

NameTEMP-0000000-4DA0A8
Descriptiondbus format string vulnerability
SourceAutomatically generated temporary name. Not for external reference.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dbus (PTS)wheezy, wheezy (security)1.6.8-1+deb7u6vulnerable
jessie1.8.22-0+deb8u1fixed
stretch1.10.24-0+deb9u1fixed
buster, sid1.12.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbussource(unstable)1.10.12-1
dbussourcejessie1.8.22-0+deb8u1

Notes

[wheezy] - dbus <no-dsa> (Minor issue)
https://bugs.freedesktop.org/show_bug.cgi?id=98157
Versions affected: dbus >= 1.4.0
Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
CVE Request: http://www.openwall.com/lists/oss-security/2016/10/10/9
In Debian CVE-2015-0245 was already fixed, and this issue is
not believed to be exploitable in practice, because the relevant
message is ignored unless it comes from the owner of the bus name
org.freedesktop.systemd1. On the system bus, this bus name is only
allowed to be owned by uid 0; it is intended to be owned by systemd,
and no mechanism is currently known by which an attacker who does not
already have root privileges could induce systemd to send messages
that would trigger the format string vulnerability.

Search for package or bug name: Reporting problems