CVE-2014-3637

Published: 22/09/2014 Updated: 27/12/2023

CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9

VMScore: 187

Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P

D-Bus 1.3.0 up to and including 1.6.x prior to 1.6.24 and 1.8.x prior to 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.

Vulnerable Product	Search on Vulmon	Subscribe to Product
freedesktop dbus 1.6.4
freedesktop dbus 1.4.18
freedesktop dbus 1.6.0
freedesktop dbus 1.4.22
freedesktop dbus 1.5.6
freedesktop dbus 1.8.0
freedesktop dbus 1.5.8
freedesktop dbus 1.5.4
freedesktop dbus 1.5.10
freedesktop dbus 1.4.24
freedesktop dbus 1.4.12
freedesktop dbus 1.6.20
freedesktop dbus 1.6.10
freedesktop dbus 1.5.0
freedesktop dbus 1.6.12
freedesktop dbus 1.6.16
freedesktop dbus 1.4.6
freedesktop dbus 1.6.8
freedesktop dbus 1.4.16
freedesktop dbus 1.5.2
freedesktop dbus 1.3.0
freedesktop dbus 1.4.8
freedesktop dbus 1.3.1
freedesktop dbus 1.6.14
freedesktop dbus 1.4.14
freedesktop dbus 1.4.1
freedesktop dbus 1.6.6
freedesktop dbus 1.6.22
freedesktop dbus 1.8.6
freedesktop dbus 1.6.18
freedesktop dbus 1.4.0
freedesktop dbus 1.8.4
freedesktop dbus 1.4.20
freedesktop dbus 1.4.26
freedesktop dbus 1.8.2
freedesktop dbus 1.4.10
freedesktop dbus 1.4.4
freedesktop dbus 1.5.12
freedesktop dbus 1.6.2
opensuse opensuse 12.3

Several security issues were fixed in DBus ...

Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon CVE-2014-3635 On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or potentially to arbitrary code execution CVE-2014-3636 A denial-of-service vulnerab ...

D-Bus 130 through 16x before 1624 and 18x before 188 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor ...

I figured it'd be useful to summarize the themes I think I'm hearing: - Greater automation around requesting CVEs so that when there really are a lot of vulnerabilities they can be requested easily and have most of the details filled in by automatic systems like syzbot of ClusterFuzz - Better automation around assessing exploitability -- I confes ...

On Mon, 24 Jun 2019 at 13:00:28 -0400, David A Wheeler wrote: I think you might have also been implying this, but just to say it explicitly: if a particular version of software has lots of fixed bugs, but they are not exploitable vulnerabilities in practice, then it would be counterproductive to try to fast-track upgrades (trick people into usin ...

CWE-17 https://bugs.freedesktop.org/show_bug.cgi?id=80559 http://secunia.com/advisories/61378 http://www.debian.org/security/2014/dsa-3026 http://www.openwall.com/lists/oss-security/2014/09/16/9 http://www.ubuntu.com/usn/USN-2352-1 http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:176 http://advisories.mageia.org/MGASA-2014-0395.html http://www.securitytracker.com/id/1030864 http://www.openwall.com/lists/oss-security/2019/06/24/13 http://www.openwall.com/lists/oss-security/2019/06/24/14 https://nvd.nist.gov https://usn.ubuntu.com/2352-1/https://access.redhat.com/security/cve/cve-2014-3637

CVE-2014-3637

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect