CVE-2020-12049

Priority
Description
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in
libdbus, as used in dbus-daemon, leaks file descriptors when a message
exceeds the per-message file descriptor limit. A local attacker with access
to the D-Bus system bus or another system service's private AF_UNIX socket
could use this to make the system service reach its file descriptor limit,
denying service to subsequent D-Bus clients.
Assigned-to
mdeslaur
Notes
Package
Source: dbus (LP Ubuntu Debian)
Upstream:released (1.12.18,1.10.30)
Ubuntu 12.04 ESM (Precise Pangolin):released (1.4.18-1ubuntu1.10)
Ubuntu 14.04 ESM (Trusty Tahr):released (1.6.18-0ubuntu4.5+esm2)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.6-1ubuntu3.6)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.12.2-1ubuntu1.2)
Ubuntu 19.10 (Eoan Ermine):released (1.12.14-1ubuntu2.1)
Ubuntu 20.04 LTS (Focal Fossa):released (1.12.16-2ubuntu2.1)
Ubuntu 20.10 (Groovy Gorilla):released (1.12.18-1ubuntu1)
Patches:
Upstream:https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
Upstream:https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 (test)
More Information

Updated: 2020-06-29 15:15:17 UTC (commit dc36b82adbb5fcee08d24a713d02a112848c7bd9)