Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755392 (CVE-2020-35512) - <sys-apps/dbus-1.12.20: use after free if duplicate UIDs (CVE-2020-35512)
Summary: <sys-apps/dbus-1.12.20: use after free if duplicate UIDs (CVE-2020-35512)
Status: RESOLVED FIXED
Alias: CVE-2020-35512
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.freedesktop.org/archive...
Whiteboard: A4 [glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-11-18 17:38 UTC by John Helmert III
Modified: 2021-02-15 21:50 UTC (History)
1 user (show)

See Also:
Package list:
sys-apps/dbus-1.12.20
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-18 17:38:06 UTC 
From the release notes:

• On Unix, avoid a use-after-free if two usernames have the same
  numeric uid. In older versions this could lead to a crash (denial of
  service) or other undefined behaviour, possibly including incorrect
  authorization decisions if <policy group=...> is used.
  Like Unix filesystems, D-Bus' model of identity cannot distinguish
  between users of different names with the same numeric uid, so this
  configuration is not advisable on systems where D-Bus will be used.
  Thanks to Daniel Onaca.
  (dbus#305, dbus!166; Simon McVittie)


This version has been in tree since July, so maybe time to stable?
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-18 23:42:39 UTC 
x86 stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-19 00:12:35 UTC 
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-19 00:14:45 UTC 
amd64 done
Comment 4 Rolf Eike Beer archtester 2020-11-22 15:39:30 UTC 
sparc stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 03:59:02 UTC 
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 04:34:23 UTC 
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 04:34:49 UTC 
arm done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 04:37:17 UTC 
ppc done
Comment 9 Rolf Eike Beer archtester 2020-11-24 19:11:03 UTC 
hppa stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-30 01:19:04 UTC 
Please cleanup, thanks!
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 00:55:45 UTC 
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:21:45 UTC 
This issue was resolved and addressed in
 GLSA 202012-17 at https://security.gentoo.org/glsa/202012-17
by GLSA coordinator Thomas Deutschmann (whissi).