Search for packages
Package details: pkg:alpm/archlinux/dbus@1.12.14-1
purl pkg:alpm/archlinux/dbus@1.12.14-1
Next non-vulnerable version 1.12.16-1
Latest non-vulnerable version 1.14.4-1
Risk 4.0
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-3jg4-8sst-aaak
Aliases:
CVE-2019-12749
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
1.12.16-1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-03-28T07:45:57.087057+00:00 Arch Linux Importer Affected by VCID-3jg4-8sst-aaak https://security.archlinux.org/AVG-974 36.0.0
2024-12-17T23:21:19.503521+00:00 Arch Linux Importer Affected by VCID-3jg4-8sst-aaak https://security.archlinux.org/AVG-974 35.0.0
2024-09-18T02:00:59.940119+00:00 Arch Linux Importer Affected by VCID-3jg4-8sst-aaak https://security.archlinux.org/AVG-974 34.0.1
2024-01-03T22:27:16.297013+00:00 Arch Linux Importer Affected by VCID-3jg4-8sst-aaak https://security.archlinux.org/AVG-974 34.0.0rc1