Bug 26735

Dbus has been maintained by many different people, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Debian-LTS has issued an advisory for this on June 5:
https://www.debian.org/lts/security/2020/dla-2235

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
https://www.openwall.com/lists/oss-security/2020/06/04/3
https://www.debian.org/lts/security/2020/dla-2235
========================

Updated packages in core/updates_testing:
========================
dbus-1.13.8-4.2.mga7
lib(64)dbus1_3-1.13.8-4.2.mga7
lib(64)dbus-devel-1.13.8-4.2.mga7
dbus-x11-1.13.8-4.2.mga7
dbus-doc-1.13.8-4.2.mga7

from SRPMS:
dbus-1.13.8-4.2.mga7.src.rpm

Source RPM: dbus-1.13.8-6.mga8.src.rpm => dbus-1.13.8-4.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Status comment: Fixed upstream in 1.13.16 => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-12049
CC: (none) => nicolas.salguero

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19561 for tests.
Rebooted after installation and see no ill effects. 

# systemctl -l status dbus
● dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-13 14:01:47 CEST; 5min ago
     Docs: man:dbus-daemon(1)
 Main PID: 1487 (dbus-daemon)
    Tasks: 1 (limit: 4915)
   Memory: 3.7M
   CGroup: /system.slice/dbus.service
           └─1487 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

Jun 13 14:01:50 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.login1'
Jun 13 14:01:50 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Jun 13 14:01:54 mach5.hviaene.thuis dbus-daemon[1487]: [system] Activating via systemd: service name='org.freedesktop.Accounts' unit='accounts-daemon.service' requested by ':1.24' (uid=0 pid>
Jun 13 14:01:55 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.Accounts'
Jun 13 14:03:08 mach5.hviaene.thuis dbus-daemon[1487]: [system] Activating service name='org.kde.powerdevil.discretegpuhelper' requested by ':1.57' (uid=1000 pid=8327 comm="/usr/libexec/org_>
Jun 13 14:03:08 mach5.hviaene.thuis dbus-daemon[10492]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: >
Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object
Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object
Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object
Jun 13 14:03:10 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.kde.powerdevil.discretegpuhelper'

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0262.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED