Descriptiondbus format string vulnerability
SourceAutomatically generated temporary name. Not for external reference.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dbus (PTS)buster1.12.20-0+deb10u1fixed
buster (security)1.12.28-0+deb10u1fixed
bullseye (security)1.12.24-0+deb11u1fixed
sid, trixie1.14.10-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[wheezy] - dbus <no-dsa> (Minor issue)
Versions affected: dbus >= 1.4.0
Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
CVE Request: https://www.openwall.com/lists/oss-security/2016/10/10/9
In Debian CVE-2015-0245 was already fixed, and this issue is
not believed to be exploitable in practice, because the relevant
message is ignored unless it comes from the owner of the bus name
org.freedesktop.systemd1. On the system bus, this bus name is only
allowed to be owned by uid 0; it is intended to be owned by systemd,
and no mechanism is currently known by which an attacker who does not
already have root privileges could induce systemd to send messages
that would trigger the format string vulnerability.

Search for package or bug name: Reporting problems