Platform
linux
Component
lastore-daemon
Opgelost in
0.9.54
0.9.67
CVE-2016-15045 describes a privilege escalation vulnerability within lastore-daemon, the package manager daemon utilized in Deepin Linux. This flaw allows users within the sudo group to bypass authentication when invoking the InstallPackage method via D-Bus. Consequently, an attacker with shell access can leverage this to execute arbitrary code, potentially gaining root privileges. This vulnerability affects Deepin Linux versions 0.9.53-1 through 0.9.66-1.
The primary impact of CVE-2016-15045 is the potential for a local attacker to escalate their privileges to root. An attacker could craft a malicious .deb package containing a post-install script designed to execute commands with elevated permissions. By exploiting the D-Bus configuration flaw, they can install this package using dbus-send without requiring authentication. This effectively bypasses security controls and allows the attacker to execute arbitrary code as root, granting them complete control over the system. The blast radius is limited to systems running the vulnerable version of lastore-daemon, but successful exploitation can lead to full system compromise.
CVE-2016-15045 was publicly disclosed on 2025-07-23. There is no indication of it being listed on KEV or an EPSS score assigned. Public proof-of-concept exploits are currently unknown. Given the relatively simple exploitation mechanism (D-Bus manipulation), it's possible that this vulnerability could be targeted in future attacks, especially if a readily available exploit is published.
Deepin Linux users running versions 0.9.53-1 through 0.9.66-1 are at risk. Specifically, systems where the first user created is a member of the sudo group are particularly vulnerable, as this user will have the necessary privileges to exploit the vulnerability. Shared hosting environments utilizing Deepin Linux and allowing user-installed packages are also at increased risk.
• linux / server:
journalctl -u lastore-daemon | grep -i "dbus-send"• linux / server:
ps aux | grep lastore-daemon• linux / server:
ls -l /usr/bin/dbus-send• linux / server:
find / -name "lastore-daemon.conf" -printdisclosure
Exploit Status
EPSS
1.38% (80% percentiel)
CISA SSVC
The primary mitigation for CVE-2016-15045 is to upgrade to a patched version of lastore-daemon. Unfortunately, a specific fixed version isn't provided in the CVE data. Until a patch is available, consider restricting access to the D-Bus interface for the InstallPackage method. Implement stricter sudo group membership policies, ensuring only trusted users are granted sudo privileges. Monitor D-Bus activity for suspicious InstallPackage calls. After upgrading, verify the fix by attempting to install a test .deb package with a post-install script as a non-root user in the sudo group and confirming that the script does not execute.
Actualizar lastore-daemon a una versión corregida que elimine la posibilidad de ejecutar comandos arbitrarios a través de la instalación de paquetes .deb sin autenticación. Verificar la configuración de D-Bus para asegurar que se requiere autenticación para métodos sensibles como InstallPackage. Revisar los permisos de los usuarios en el grupo sudo para limitar el acceso a métodos D-Bus.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2016-15045 is a privilege escalation vulnerability in lastore-daemon, Deepin Linux's package manager daemon. It allows users in the sudo group to bypass authentication and potentially gain root access.
You are affected if you are running Deepin Linux with lastore-daemon versions 0.9.53-1 through 0.9.66-1 and have users in the sudo group.
Upgrade to a patched version of lastore-daemon. As no specific fixed version is provided, consider restricting D-Bus access and tightening sudo group membership until a patch is available.
There is currently no confirmed evidence of active exploitation, but the vulnerability's simplicity suggests it could be targeted in the future.
Refer to Deepin Linux's official security advisories and release notes for updates regarding this vulnerability.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.