TEMP-0000000-4DA0A8

NameTEMP-0000000-4DA0A8
Descriptiondbus format string vulnerability
SourceAutomatically generated temporary name. Not for external reference.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dbus (PTS)stretch1.10.32-0+deb9u1fixed
stretch (security)1.10.28-0+deb9u1fixed
buster1.12.20-0+deb10u1fixed
bullseye, sid1.12.20-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbussourcejessie1.8.22-0+deb8u1
dbussource(unstable)1.10.12-1

Notes

[wheezy] - dbus <no-dsa> (Minor issue)
https://bugs.freedesktop.org/show_bug.cgi?id=98157
Versions affected: dbus >= 1.4.0
Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
CVE Request: https://www.openwall.com/lists/oss-security/2016/10/10/9
In Debian CVE-2015-0245 was already fixed, and this issue is
not believed to be exploitable in practice, because the relevant
message is ignored unless it comes from the owner of the bus name
org.freedesktop.systemd1. On the system bus, this bus name is only
allowed to be owned by uid 0; it is intended to be owned by systemd,
and no mechanism is currently known by which an attacker who does not
already have root privileges could induce systemd to send messages
that would trigger the format string vulnerability.

Search for package or bug name: Reporting problems