Date: Thu, 4 Jun 2020 11:56:37 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE-2020-12049: dbus: denial of service via file descriptor leak References: CVE-2020-12049, GHSL-2020-057, dbus#294. dbus is the reference implementation of D-Bus, a user-space IPC mechanism originating from freedesktop.org and commonly used on Linux and other Unix systems. Kevin Backhouse of the GitHub Security Lab discovered a denial of service vulnerability in dbus >= 1.3.0. An unprivileged local attacker can cause the system dbus-daemon (dbus-daemon --system) to leak file descriptors (fds) by sending messages with a number of fds that exceeds the allowed number, resulting in truncation. The attacker's connection is (correctly) disconnected, but the fds that were attached to the truncated message are (incorrectly) not closed. By repeating this process, the attacker can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit is reached, new connections will fail, and existing connections will be unable to send messages with fds attached, causing denial of service. The same attack is also possible in the uncommon situation where processes of different privilege levels communicate directly using a private D-Bus socket (DBusServer) without going via a dbus-daemon. In the development branch, this has been fixed in version 1.13.16. Older releases are vulnerable, except where noted below. In the stable branch 1.12.x, this has been fixed in version 1.12.18. This is the recommended version of dbus for production use and for long-term-stable operating systems. In the old stable branch 1.10.x, this has been fixed in version 1.10.30. This branch is maintained for the benefit of older long-term-stable operating systems such as Debian 9, and will reach end-of-life soon. Older stable branches such as 1.8.x have reached end-of-life and will not receive upstream releases to fix this. Upgrading is recommended. However, the patch used in supported versions is believed to be suitable for third-party backports to older releases. We have received a report that in at least OmniOS (a Solaris/OpenSolaris/illumos derivative), the solution that was committed causes a regression due to differences in the behaviour of SCM_RIGHTS between Linux and OmniOS. This is under investigation. On non-Linux operating systems such as BSD and Solaris, before deploying a fixed version, package maintainers should try running the 'test-fdpass' test case to confirm whether their OS kernel has the Linux-like or OmniOS-like behaviour. This test-case requires building dbus with the --enable-modular-tests configure option, with GLib development files available; GLib is only used for the automated tests, and is not a dependency of the parts of dbus used in production.  https://gitlab.freedesktop.org/dbus/dbus/-/issues/294  https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63  https://lists.freedesktop.org/archives/dbus/2020-June/017873.html  https://gitlab.freedesktop.org/dbus/dbus/-/issues/304 -- Simon McVittie, Collabora Ltd. / Debian dbus security contact: https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md#reporting-security-vulnerabilities
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.