CVE-2023-34969: 
NixOS vulnerability analysis and mitigation

CVE-2023-34969 affects D-Bus versions prior to 1.15.6, 1.14.8, and 1.12.28. The vulnerability was discovered in June 2023 and allows unprivileged users to crash dbus-daemon under specific circumstances. The issue affects D-Bus, a system for sending messages between applications used for both system-wide message bus service and per-user-login-session messaging (NVD, Ubuntu Security).

The vulnerability occurs when a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic. An unprivileged user with access to the same dbus-daemon can trigger a crash by sending a message that results in a reply from the bus driver that cannot be delivered, such as when forbidden by a rule or when the recipient has exceeded the configured message queue limit. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitLab Issue, NVD).

When successfully exploited, this vulnerability can cause a denial-of-service condition by crashing the dbus-daemon. This is particularly significant when done on the well-known system bus, as it can affect system-wide message bus services (GitLab Issue, NetApp Advisory).

The vulnerability has been fixed in D-Bus versions 1.12.28, 1.14.8, and 1.15.6. Users are advised to upgrade to these or later versions. Versions 1.8.x and older are not affected as they do not contain the vulnerable code path. For systems that cannot be immediately updated, the main mitigation is ensuring that no monitoring processes are active on the dbus-daemon (GitLab Issue, Debian LTS).