CVE-2020-12049

Published: 08 June 2020

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
dbus
Launchpad, Ubuntu, Debian
Upstream
Released (1.12.18,1.10.30)
Ubuntu 20.10 (Groovy Gorilla)
Released (1.12.18-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.12.16-2ubuntu2.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.12.2-1ubuntu1.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.10.6-1ubuntu3.6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.6.18-0ubuntu4.5+esm2)
Patches:
Upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
Upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 (test)