Your submission was sent successfully! Close

CVE-2020-12049

Published: 8 June 2020

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
dbus
Launchpad, Ubuntu, Debian
bionic
Released (1.12.2-1ubuntu1.2)
eoan
Released (1.12.14-1ubuntu2.1)
focal
Released (1.12.16-2ubuntu2.1)
precise
Released (1.4.18-1ubuntu1.10)
trusty
Released (1.6.18-0ubuntu4.5+esm2)
upstream
Released (1.12.18,1.10.30)
xenial
Released (1.10.6-1ubuntu3.6)
Patches:
upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 (test)