D-Bus: Multiple vulnerabilities — GLSA 201706-05

Multiple vulnerabilities in D-Bus might allow an attacker to overwrite files with a fixed filename in arbitrary directories or conduct a symlink attack.

Affected Packages

sys-apps/dbus on all architectures
Affected versions < 1.10.18
Unaffected versions >= 1.10.18

Background

D-Bus is a message bus system which processes can use to talk to each other.

Description

Multiple vulnerabilities have been discovered in D-Bus. Please review the original report referenced below for details.

Impact

An attacker could possibly overwrite arbitrary files named “once” with content not controlled by the attacker.

A local attacker could perform a symlink attack against D-Bus’ test suite.

Workaround

There is no known workaround at this time.

Resolution

All D-Bus users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.10.18"
 

References

Release Date
June 06, 2017

Latest Revision
June 06, 2017: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries