CVE-2020-12049
Published: 08 June 2020
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.
Priority
CVSS 3 base score: 5.5
Status
Package | Release | Status |
---|---|---|
dbus Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.12.18,1.10.30)
|
Ubuntu 20.10 (Groovy Gorilla) |
Released
(1.12.18-1ubuntu1)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Released
(1.12.16-2ubuntu2.1)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(1.12.2-1ubuntu1.2)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1.10.6-1ubuntu3.6)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(1.6.18-0ubuntu4.5+esm2)
|
|
Patches: Upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 Upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 (test) |