Bug 1909101 (CVE-2020-35512)

Summary: CVE-2020-35512 dbus: users with the same numeric UID could lead to use-after-free and undefined behaviour
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amigadave, caillon+fedoraproject, dking, gnome-sig, lpoetter, mclasen, rhughes, rstrode, tgunders, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dbus 1.10.32, dbus 1.12.20, dbus 1.13.18 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in D-Bus when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:31:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1909102, 1914330    
Bug Blocks: 1909103    

Description Marian Rehak 2020-12-18 11:13:47 UTC 
On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used.

Reference:

https://bugs.gentoo.org/755392
Comment 1 Marian Rehak 2020-12-18 11:14:23 UTC 
Created dbus tracking bugs for this issue:

Affects: fedora-all [bug 1909102]
Comment 2 Riccardo Schirone 2021-01-04 16:44:09 UTC 
Upstream issue:
https://gitlab.freedesktop.org/dbus/dbus/-/issues/305

Upstream patch:
https://gitlab.freedesktop.org/dbus/dbus/-/commit/e75c67a28fa2bc41a8ab0de433a52355c71a8abf
Comment 7 RaTasha Tillery-Smith 2021-02-12 21:27:02 UTC 
Statement:

Regarding the concern with D-Bus, users with the same UID are treated as the same user. As in Linux, multiple assumptions are made based on the fact that a user is identified by its UID. It is not advisable to have multiple users with different privileges and the same UID on systems where D-Bus is used. For these reasons, this vulnerability has been rated as having Low Impact.