PublicDateAtUSN: 2020-02-05 09:00:00 UTC
Candidate: CVE-2020-1712
CRD: 2020-02-05 09:00:00 UTC
PublicDate: 2020-03-31 17:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1712
 https://ubuntu.com/security/notices/USN-4269-1
Description:
 A heap use-after-free vulnerability was found in systemd before version
 v245-rc1, where asynchronous Polkit queries are performed while handling
 dbus messages. A local unprivileged attacker can abuse this flaw to crash
 systemd services or potentially execute code and elevate their privileges,
 by sending specially crafted dbus messages.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
Priority: medium
Discovered-by: Tavis Ormandy
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_systemd:
 upstream: https://github.com/poettering/systemd/commits/polkit-ref-count
 upstream: https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2
upstream_systemd: needs-triage
precise/esm_systemd: DNE
trusty_systemd: ignored (out of standard support)
trusty/esm_systemd: needs-triage
xenial_systemd: released (229-4ubuntu21.27)
esm-infra/xenial_systemd: released (229-4ubuntu21.27)
bionic_systemd: released (237-3ubuntu10.38)
eoan_systemd: released (242-7ubuntu3.6)
focal_systemd: released (244.1-0ubuntu3)
groovy_systemd: released (244.1-0ubuntu3)
hirsute_systemd: released (244.1-0ubuntu3)
impish_systemd: released (244.1-0ubuntu3)
jammy_systemd: released (244.1-0ubuntu3)
devel_systemd: released (244.1-0ubuntu3)