CVE-2008-0595

Description

dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.

How to fix CVE-2008-0595

To remediate CVE-2008-0595, upgrade the affected package to a fixed version below.

• Debian/dbus—upgrade to 1.1.20-1 or later
• Debian/dbus—upgrade to 1.0.2-1+etch1 or later

Is CVE-2008-0595 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 1.1.20-1
• from 0, < 1.0.2-1+etch1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-0595