Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 755392 (CVE-2020-35512)

Summary: <sys-apps/dbus-1.12.20: use after free if duplicate UIDs (CVE-2020-35512)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: freedesktop-bugs
Priority: Normal Keywords: CC-ARCHES, STABLEREQ
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://lists.freedesktop.org/archives/ftp-release/2020-July/000758.html
Whiteboard: A4 [glsa+]
Package list:
sys-apps/dbus-1.12.20
 Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-18 17:38:06 UTC 
From the release notes:

• On Unix, avoid a use-after-free if two usernames have the same
  numeric uid. In older versions this could lead to a crash (denial of
  service) or other undefined behaviour, possibly including incorrect
  authorization decisions if <policy group=...> is used.
  Like Unix filesystems, D-Bus' model of identity cannot distinguish
  between users of different names with the same numeric uid, so this
  configuration is not advisable on systems where D-Bus will be used.
  Thanks to Daniel Onaca.
  (dbus#305, dbus!166; Simon McVittie)


This version has been in tree since July, so maybe time to stable?
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-18 23:42:39 UTC 
x86 stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-19 00:12:35 UTC 
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-19 00:14:45 UTC 
amd64 done
Comment 4 Rolf Eike Beer archtester 2020-11-22 15:39:30 UTC 
sparc stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 03:59:02 UTC 
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 04:34:23 UTC 
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 04:34:49 UTC 
arm done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 04:37:17 UTC 
ppc done
Comment 9 Rolf Eike Beer archtester 2020-11-24 19:11:03 UTC 
hppa stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-30 01:19:04 UTC 
Please cleanup, thanks!
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 00:55:45 UTC 
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:21:45 UTC 
This issue was resolved and addressed in
 GLSA 202012-17 at https://security.gentoo.org/glsa/202012-17
by GLSA coordinator Thomas Deutschmann (whissi).