#4665 closed task (fixed)
dbus-1.12.18
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 10.0 |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point release with security fixes
dbus is the reference implementation of D-Bus, a message bus for communication between applications and system services. This is a stable-branch release, including a local denial of service fix. Upgrading is recommended, unless you are following the older stable branch 1.10.x. <http://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz> <http://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz.asc> git tag: dbus-1.12.18 The “telepathic vines” release. Denial of service fixes: • CVE-2020-12049: If a message contains more file descriptors than can be sent, close those that did get through before reporting error. Previously, a local attacker could cause the system dbus-daemon (or another system service with its own DBusServer) to run out of file descriptors, by repeatedly connecting to the server and sending fds that would get leaked. Thanks to Kevin Backhouse of GitHub Security Lab. (dbus#294, GHSL-2020-057; Simon McVittie) Other fixes: • Fix a crash when the dbus-daemon is terminated while one or more monitors are active (dbus#291, dbus!140; Simon McVittie) • The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 (fd.o #48816, dbus!115; Chris Morin) • Fix a wrong environment variable name in dbus-daemon(1) (dbus#275, dbus!122; Mubin, Philip Withnall) • Fix formatting of dbus_message_append_args example (dbus!126, Felipe Franciosi) • Avoid a test failure on Linux when built in a container as uid 0, but without the necessary privileges to increase resource limits (dbus!58, Debian #908092; Simon McVittie) • When building with CMake, cope with libX11 in a non-standard location (dbus!129, Tuomo Rinne)
"Upgrading is recommended"
Change History (4)
comment:1 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:3 by , 4 years ago
Some more information on the security flaw:
References: CVE-2020-12049, GHSL-2020-057, dbus#294. dbus is the reference implementation of D-Bus, a user-space IPC mechanism originating from freedesktop.org and commonly used on Linux and other Unix systems. Kevin Backhouse of the GitHub Security Lab discovered a denial of service vulnerability[0] in dbus >= 1.3.0. An unprivileged local attacker can cause the system dbus-daemon (dbus-daemon --system) to leak file descriptors (fds) by sending messages with a number of fds that exceeds the allowed number, resulting in truncation. The attacker's connection is (correctly) disconnected, but the fds that were attached to the truncated message are (incorrectly) not closed. By repeating this process, the attacker can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit is reached, new connections will fail, and existing connections will be unable to send messages with fds attached, causing denial of service. The same attack is also possible in the uncommon situation where processes of different privilege levels communicate directly using a private D-Bus socket (DBusServer) without going via a dbus-daemon. In the development branch, this has been fixed[1] in version 1.13.16. Older releases are vulnerable, except where noted below. In the stable branch 1.12.x, this has been fixed in version 1.12.18. This is the recommended version of dbus for production use and for long-term-stable operating systems. In the old stable branch 1.10.x, this has been fixed in version 1.10.30. This branch is maintained for the benefit of older long-term-stable operating systems such as Debian 9, and will reach end-of-life soon[2]. Older stable branches such as 1.8.x have reached end-of-life and will not receive upstream releases to fix this. Upgrading is recommended. However, the patch used in supported versions[1] is believed to be suitable for third-party backports to older releases. We have received a report[3] that in at least OmniOS (a Solaris/OpenSolaris/illumos derivative), the solution that was committed causes a regression due to differences in the behaviour of SCM_RIGHTS between Linux and OmniOS. This is under investigation. On non-Linux operating systems such as BSD and Solaris, before deploying a fixed version, package maintainers should try running the 'test-fdpass' test case to confirm whether their OS kernel has the Linux-like or OmniOS-like behaviour. This test-case requires building dbus with the --enable-modular-tests configure option, with GLib development files available; GLib is only used for the automated tests, and is not a dependency of the parts of dbus used in production. [0] https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 [1] https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63 [2] https://lists.freedesktop.org/archives/dbus/2020-June/017873.html [3] https://gitlab.freedesktop.org/dbus/dbus/-/issues/304 -- Simon McVittie, Collabora Ltd. / Debian dbus security contact: https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md#reporting-security-vulnerabilities
Note:
See TracTickets
for help on using tickets.
Fixed at r11895