Vulnerability Description
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freedesktop | Dbus | >= 1.3.0, < 1.12.18 |
| Canonical | Ubuntu Linux | 12.04 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/172840/D-Bus-File-Descriptor-Leak-Denial-Of
- http://www.openwall.com/lists/oss-security/2020/06/04/3Mailing ListPatchThird Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/issues/294ExploitThird Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.10.30Third Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.12.18Third Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.13.16Third Party Advisory
- https://security.gentoo.org/glsa/202007-46Third Party Advisory
- https://securitylab.github.com/advisories/GHSL-2020-057-DBus-DoS-file-descriptorExploitThird Party Advisory
- https://usn.ubuntu.com/4398-1/Third Party Advisory
- https://usn.ubuntu.com/4398-2/Third Party Advisory
- http://packetstormsecurity.com/files/172840/D-Bus-File-Descriptor-Leak-Denial-Of
- http://www.openwall.com/lists/oss-security/2020/06/04/3Mailing ListPatchThird Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/issues/294ExploitThird Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.10.30Third Party Advisory
- https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.12.18Third Party Advisory
FAQ
What is CVE-2020-12049?
CVE-2020-12049 is a vulnerability with a CVSS score of 5.5 (MEDIUM). An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local...
How severe is CVE-2020-12049?
CVE-2020-12049 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12049?
Check the references section above for vendor advisories and patch information. Affected products include: Freedesktop Dbus, Canonical Ubuntu Linux.