MGASA-2014-0457

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as "CVE-2014-3636 part A", which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value.

By queuing up the maximum allowed number of fds, a malicious sender could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically 1024 on Linux). This would act as a denial of service in two ways:

• new clients would be unable to connect to the dbus-daemon
• when receiving a subsequent message from a non-malicious client that contained a fd, dbus-daemon would receive the MSGCTRUNC flag, indicating that the list of fds was truncated; kernel fd-passing APIs do not provide any way to recover from that, so dbus-daemon responds to MSGCTRUNC by disconnecting the sender, causing denial of service to that sender.

This update resolves the issue (CVE-2014-7824).

Also default auth_timeout that was changed from 30s to 5s in MGASA-2014-0395, and raised to 20s in MGAA-2014-0182 is now changed back to 30s as there still are reports about failing dbus connections.