CVE-2020-12049
Published: 8 June 2020
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.
Priority
Medium
CVSS 3 base score: 5.5
Status
| Package | Release | Status |
|---|---|---|
|
dbus Launchpad, Ubuntu, Debian |
bionic |
Released
(1.12.2-1ubuntu1.2)
|
| eoan |
Released
(1.12.14-1ubuntu2.1)
|
|
| focal |
Released
(1.12.16-2ubuntu2.1)
|
|
| precise |
Released
(1.4.18-1ubuntu1.10)
|
|
| trusty |
Released
(1.6.18-0ubuntu4.5+esm2)
|
|
| upstream |
Released
(1.12.18,1.10.30)
|
|
| xenial |
Released
(1.10.6-1ubuntu3.6)
|
|
|
Patches: upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 (test) |
||