Unauthenticated Local Denial of Service (DoS) in dnf5daemon-server via path traversal in the D-Bus locale configuration. By passing an invalid or malicious string (e.g., ../../../../../tmp/PWNED ) to the locale key during open_session , an unprivileged user forces the underlying libdnf5 library to throw a libdnf5::SystemError when newlocale() fails. Because ThreadsManager::set_thread_locale does not catch this exception, it escapes the thread boundary, invoking std::terminate() and causing the root-privileged daemon to abort with a core dump. Requirements to exploit: The attacker requires a local, unprivileged user account on the target system and access to the System D-Bus. No special permissions or user interactions are required.
There is no path traversal. The exception happens when the passed string as a locale unknown to glibc. There are two options how to fix it in the server code: (1) Handle the exceptions by returning a D-Bus error, (2) Handle the exceptions by not setting any locale. Since typically setting a locale is an optional feature in applications, defaulting to C locale, and since having an invalid locale on client side would prevent users from performing any package operations, especially installing a desired glibc-langpack-* package, I'm for fixing this issue with the second option.