An assertion failure in dbus-daemon when a privileged Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or similar) is active, and a message from the bus driver cannot be delivered to a client connection due to <deny> rules or outgoing message quota. This is a denial of service if triggered maliciously by a local attacker In other words, if a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances. Vulnerable versions: 1.15.x before 1.15.6 1.14.x before 1.14.8 1.12.x before 1.12.28 most end-of-life versions since 1.9.x Fixed versions: all since 1.15.6 1.14.x since 1.14.8 1.12.x since 1.12.28 Not vulnerable: end-of-life versions 1.8.x or older do not contain the affected code path. https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1908636.html
No CVE has been published yet, but upstream has requested one from Mitre.
Created dbus tracking bugs for this issue: Affects: fedora-all [bug 2213396] Created mingw-dbus tracking bugs for this issue: Affects: fedora-all [bug 2213397]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4498 https://access.redhat.com/errata/RHSA-2023:4498
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4569 https://access.redhat.com/errata/RHSA-2023:4569
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5193 https://access.redhat.com/errata/RHSA-2023:5193