An advisory has been issued on June 4: https://www.openwall.com/lists/oss-security/2020/06/04/3 The issue is fixed upstream in 1.13.16. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 1.13.16Whiteboard: (none) => MGA7TOO
Dbus has been maintained by many different people, so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
Debian-LTS has issued an advisory for this on June 5: https://www.debian.org/lts/security/2020/dla-2235
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049 https://www.openwall.com/lists/oss-security/2020/06/04/3 https://www.debian.org/lts/security/2020/dla-2235 ======================== Updated packages in core/updates_testing: ======================== dbus-1.13.8-4.2.mga7 lib(64)dbus1_3-1.13.8-4.2.mga7 lib(64)dbus-devel-1.13.8-4.2.mga7 dbus-x11-1.13.8-4.2.mga7 dbus-doc-1.13.8-4.2.mga7 from SRPMS: dbus-1.13.8-4.2.mga7.src.rpm
Source RPM: dbus-1.13.8-6.mga8.src.rpm => dbus-1.13.8-4.1.mga7.src.rpmWhiteboard: MGA7TOO => (none)Version: Cauldron => 7Status comment: Fixed upstream in 1.13.16 => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2020-12049CC: (none) => nicolas.salguero
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 19561 for tests. Rebooted after installation and see no ill effects. # systemctl -l status dbus ● dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled) Active: active (running) since Sat 2020-06-13 14:01:47 CEST; 5min ago Docs: man:dbus-daemon(1) Main PID: 1487 (dbus-daemon) Tasks: 1 (limit: 4915) Memory: 3.7M CGroup: /system.slice/dbus.service └─1487 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only Jun 13 14:01:50 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.login1' Jun 13 14:01:50 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Jun 13 14:01:54 mach5.hviaene.thuis dbus-daemon[1487]: [system] Activating via systemd: service name='org.freedesktop.Accounts' unit='accounts-daemon.service' requested by ':1.24' (uid=0 pid> Jun 13 14:01:55 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.Accounts' Jun 13 14:03:08 mach5.hviaene.thuis dbus-daemon[1487]: [system] Activating service name='org.kde.powerdevil.discretegpuhelper' requested by ':1.57' (uid=1000 pid=8327 comm="/usr/libexec/org_> Jun 13 14:03:08 mach5.hviaene.thuis dbus-daemon[10492]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: > Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object Jun 13 14:03:10 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.kde.powerdevil.discretegpuhelper'
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0262.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED