Bug 26735 - dbus new security issue CVE-2020-12049
Summary: dbus new security issue CVE-2020-12049
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-06-06 18:35 CEST by David Walser
Modified: 2020-06-15 09:56 CEST (History)
5 users (show)

See Also:
Source RPM: dbus-1.13.8-4.1.mga7.src.rpm
CVE: CVE-2020-12049
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-06-06 18:35:08 CEST 
An advisory has been issued on June 4:
https://www.openwall.com/lists/oss-security/2020/06/04/3

The issue is fixed upstream in 1.13.16.

Mageia 7 is also affected.
David Walser 2020-06-06 18:35:26 CEST

Status comment: (none) => Fixed upstream in 1.13.16
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-06-07 20:59:57 CEST 
Dbus has been maintained by many different people, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-06-09 19:27:09 CEST 
Debian-LTS has issued an advisory for this on June 5:
https://www.debian.org/lts/security/2020/dla-2235
Comment 3 Nicolas Salguero 2020-06-12 10:19:59 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
https://www.openwall.com/lists/oss-security/2020/06/04/3
https://www.debian.org/lts/security/2020/dla-2235
========================

Updated packages in core/updates_testing:
========================
dbus-1.13.8-4.2.mga7
lib(64)dbus1_3-1.13.8-4.2.mga7
lib(64)dbus-devel-1.13.8-4.2.mga7
dbus-x11-1.13.8-4.2.mga7
dbus-doc-1.13.8-4.2.mga7

from SRPMS:
dbus-1.13.8-4.2.mga7.src.rpm

Source RPM: dbus-1.13.8-6.mga8.src.rpm => dbus-1.13.8-4.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Status comment: Fixed upstream in 1.13.16 => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-12049
CC: (none) => nicolas.salguero

Comment 4 Herman Viaene 2020-06-13 14:14:12 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19561 for tests.
Rebooted after installation and see no ill effects. 

# systemctl -l status dbus
● dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-13 14:01:47 CEST; 5min ago
     Docs: man:dbus-daemon(1)
 Main PID: 1487 (dbus-daemon)
    Tasks: 1 (limit: 4915)
   Memory: 3.7M
   CGroup: /system.slice/dbus.service
           └─1487 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

Jun 13 14:01:50 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.login1'
Jun 13 14:01:50 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Jun 13 14:01:54 mach5.hviaene.thuis dbus-daemon[1487]: [system] Activating via systemd: service name='org.freedesktop.Accounts' unit='accounts-daemon.service' requested by ':1.24' (uid=0 pid>
Jun 13 14:01:55 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.freedesktop.Accounts'
Jun 13 14:03:08 mach5.hviaene.thuis dbus-daemon[1487]: [system] Activating service name='org.kde.powerdevil.discretegpuhelper' requested by ':1.57' (uid=1000 pid=8327 comm="/usr/libexec/org_>
Jun 13 14:03:08 mach5.hviaene.thuis dbus-daemon[10492]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: >
Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object
Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object
Jun 13 14:03:10 mach5.hviaene.thuis org.kde.powerdevil.discretegpuhelper[10492]: QDBusArgument: read from a write-only object
Jun 13 14:03:10 mach5.hviaene.thuis dbus-daemon[1487]: [system] Successfully activated service 'org.kde.powerdevil.discretegpuhelper'

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-06-14 01:13:31 CEST 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-06-15 08:59:20 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-06-15 09:56:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0262.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.