Errata overview
Errata ID 148
Date 2019-06-19
Source package dbus
Fixed in version 1.10.28-0+deb9u1
This update addresses the following issue:
* dbus as used in DBusServer allows cookie spoofing because of symlink
  mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the
  libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication
  mechanism.) A malicious client with write access to its own home directory
  could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a
  different uid to read and write in unintended locations. In the worst case,
  this could result in the DBusServer reusing a cookie that is known to the
  malicious client, and treating that cookie as evidence that a subsequent
  client connection came from an attacker-chosen uid, allowing authentication
  bypass. (CVE-2019-12749)
Additional notes
CVE ID CVE-2019-12749
UCS Bug number #49659