CVE-2019-15718

NameCVE-2019-15718
DescriptionIn systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs939353

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
systemd (PTS)jessie, jessie (lts)215-17+deb8u15fixed
stretch (security)232-25+deb9u14fixed
stretch (lts), stretch232-25+deb9u17fixed
buster, buster (lts)241-7~deb10u11fixed
buster (security)241-7~deb10u10fixed
bullseye247.3-7+deb11u5fixed
bullseye (security)247.3-7+deb11u6fixed
bookworm252.31-1~deb12u1fixed
trixie257-2fixed
sid257.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
systemdsourcewheezy(not affected)
systemdsourcejessie(not affected)
systemdsourcestretch(not affected)
systemdsourcebuster241-7~deb10u2
systemdsource(unstable)242-7939353

Notes

[stretch] - systemd <not-affected> (Vulnerable code introduced later)
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2019/09/03/1
https://github.com/systemd/systemd/pull/13457
https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd
[wheezy] - systemd <not-affected> (Vulnerable code introduced later)

Search for package or bug name: Reporting problems