PT-2022-5133 · D-Bus+10 · D-Bus+10
Evgeny Vereshchagin
·
Published
2022-10-05
·
Updated
2026-01-11
·
CVE-2022-42010
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
D-Bus versions 1.12.24 and earlier, 1.13.x and earlier, 1.14.x before 1.14.4, and 1.15.x before 1.15.2
Description
The issue is related to the D-Bus system's handling of type signatures, which can cause a crash when receiving a message with certain invalid signatures. An authenticated attacker can exploit this to cause dbus-daemon and other programs that use libdbus to crash. The problem is caused by a syntactically invalid type signature with incorrectly nested brackets and braces.
Recommendations
For D-Bus versions 1.12.24 and earlier, update to version 1.12.24 or later.
For D-Bus versions 1.13.x, update to version 1.14.4 or later.
For D-Bus versions 1.14.x before 1.14.4, update to version 1.14.4 or later.
For D-Bus versions 1.15.x before 1.15.2, update to version 1.15.2 or later.
As a temporary workaround, consider restricting access to the dbus-daemon to minimize the risk of exploitation.
Exploit
Fix
Improper Verification of Cryptographic Signature
Assertion Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
D-Bus
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu