"Kevin Backhouse of the GitHub Security Lab discovered a denial of service
vulnerability in dbus >= 1.3.0. An unprivileged local attacker can cause
the system dbus-daemon (dbus-daemon --system) to leak file descriptors
(fds) by sending messages with a number of fds that exceeds the allowed
number, resulting in truncation. The attacker's connection is (correctly)
disconnected, but the fds that were attached to the truncated message
are (incorrectly) not closed. By repeating this process, the attacker
can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit
is reached, new connections will fail, and existing connections will be
unable to send messages with fds attached, causing denial of service.
The same attack is also possible in the uncommon situation where processes
of different privilege levels communicate directly using a private D-Bus
socket (DBusServer) without going via a dbus-daemon."
The bug has been referenced in the following commit(s):
Author: Lars Wendler <firstname.lastname@example.org>
AuthorDate: 2020-06-04 18:29:54 +0000
Commit: Lars Wendler <email@example.com>
CommitDate: 2020-06-04 18:30:04 +0000
sys-apps/dbus: Security bump to version 1.12.18
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Lars Wendler <firstname.lastname@example.org>
sys-apps/dbus/Manifest | 1 +
sys-apps/dbus/dbus-1.12.18.ebuild | 272 ++++++++++++++++++++++++++++++++++++++
2 files changed, 273 insertions(+)
@maintainer(s), ready for stabilisation?
This issue was resolved and addressed in
GLSA 202007-46 at https://security.gentoo.org/glsa/202007-46
by GLSA coordinator Sam James (sam_c).
Reopening for s390 stabilisation.