CVE-2020-12049

Published: 08 June 2020

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
dbus
Launchpad, Ubuntu, Debian 		Upstream
Released (1.12.18,1.10.30)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.12.16-2ubuntu2.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.12.2-1ubuntu1.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.10.6-1ubuntu3.6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.6.18-0ubuntu4.5+esm2)
Patches:
Upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
Upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 (test)

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading