An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. References: http://www.openwall.com/lists/oss-security/2020/06/04/3 https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.10.30 https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.12.18 https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.13.16
Created dbus tracking bugs for this issue: Affects: fedora-all [bug 1849042]
Upstream fix: https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63
Function _dbus_read_socket_with_unix_fds() does not close the opened file descriptors when the control data of the message was truncated. This leaks some file descriptors. If multiple file descriptor are leaked, the dbus process can reach its RLIMIT_NOFILE limit enforced by the system, thus when later some service tries to use the bus, DBus is not able to operate properly because it cannot allocate more file descriptors. As DBus is nowadays used by multiple services, the system becomes almost unusable.
Statement: This issue did not affect the versions of dbus as shipped with Red Hat Enterprise Linux 5, and 6 as they did not include the vulnerable code.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2894 https://access.redhat.com/errata/RHSA-2020:2894
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12049
How is this closed? RHEL8 is affected and there is no security advisory.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3014 https://access.redhat.com/errata/RHSA-2020:3014
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3044 https://access.redhat.com/errata/RHSA-2020:3044
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3298 https://access.redhat.com/errata/RHSA-2020:3298