CVE-2020-12049: user/dbus: denial of service via file descriptor leak
|Reporter||Max Rees (sroracle)|
|Assignee||Max Rees (sroracle)|
|Reported||2020-06-04 13:16:10 -0500|
|Modified||2020-06-15 16:38:59 -0500|
|Hardware||Adélie Linux / All|
|Importance||--- / normal|
Kevin Backhouse of the GitHub Security Lab discovered a denial of
service vulnerability in dbus >= 1.3.0. An unprivileged local
attacker can cause the system dbus-daemon (dbus-daemon --system) to
leak file descriptors (fds) by sending messages with a number of fds
that exceeds the allowed number, resulting in truncation. The
attacker's connection is (correctly) disconnected, but the fds that
were attached to the truncated message are (incorrectly) not closed.
By repeating this process, the attacker can make the dbus-daemon reach
its RLIMIT_NOFILE limit. When this limit is reached, new connections
will fail, and existing connections will be unable to send messages
with fds attached, causing denial of service.
The same attack is also possible in the uncommon situation where
processes of different privilege levels communicate directly using a
private D-Bus socket (DBusServer) without going via a dbus-daemon.
Fixed in >= 1.12.18