1909101 – (CVE-2020-35512) CVE-2020-35512 dbus: users with the same numeric UID could lead to use-after-free and undefined behaviour

Bug 1909101 (CVE-2020-35512) - CVE-2020-35512 dbus: users with the same numeric UID could lead to use-after-free and undefined behaviour

Summary: CVE-2020-35512 dbus: users with the same numeric UID could lead to use-after-...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-35512
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1909102 1914330
Blocks:	1909103
TreeView+	depends on / blocked

Reported:	2020-12-18 11:13 UTC by Marian Rehak
Modified:	2021-10-28 10:31 UTC (History)
CC List:	10 users (show)
Fixed In Version:	dbus 1.10.32, dbus 1.12.20, dbus 1.13.18
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in D-Bus when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors.
Clone Of:
Environment:
Last Closed:	2021-10-28 10:31:38 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-12-18 11:13:47 UTC

On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used.

Reference:

https://bugs.gentoo.org/755392

Comment 1 Marian Rehak 2020-12-18 11:14:23 UTC

Created dbus tracking bugs for this issue:

Affects: fedora-all [bug 1909102]

Comment 2 Riccardo Schirone 2021-01-04 16:44:09 UTC

Upstream issue:
https://gitlab.freedesktop.org/dbus/dbus/-/issues/305

Upstream patch:
https://gitlab.freedesktop.org/dbus/dbus/-/commit/e75c67a28fa2bc41a8ab0de433a52355c71a8abf

Comment 7 RaTasha Tillery-Smith 2021-02-12 21:27:02 UTC

Statement:

Regarding the concern with D-Bus, users with the same UID are treated as the same user. As in Linux, multiple assumptions are made based on the fact that a user is identified by its UID. It is not advisable to have multiple users with different privileges and the same UID on systems where D-Bus is used. For these reasons, this vulnerability has been rated as having Low Impact.

Note You need to log in before you can comment on or make changes to this bug.