Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 4 Jun 2020 11:56:37 +0100
From: Simon McVittie <>
Subject: CVE-2020-12049: dbus: denial of service via file descriptor leak

References: CVE-2020-12049, GHSL-2020-057, dbus#294.

dbus is the reference implementation of D-Bus, a user-space IPC mechanism
originating from and commonly used on Linux and other
Unix systems.

Kevin Backhouse of the GitHub Security Lab discovered a denial of service
vulnerability[0] in dbus >= 1.3.0. An unprivileged local attacker can cause
the system dbus-daemon (dbus-daemon --system) to leak file descriptors
(fds) by sending messages with a number of fds that exceeds the allowed
number, resulting in truncation. The attacker's connection is (correctly)
disconnected, but the fds that were attached to the truncated message
are (incorrectly) not closed. By repeating this process, the attacker
can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit
is reached, new connections will fail, and existing connections will be
unable to send messages with fds attached, causing denial of service.

The same attack is also possible in the uncommon situation where processes
of different privilege levels communicate directly using a private D-Bus
socket (DBusServer) without going via a dbus-daemon.

In the development branch, this has been fixed[1] in version 1.13.16.
Older releases are vulnerable, except where noted below.

In the stable branch 1.12.x, this has been fixed in version 1.12.18.
This is the recommended version of dbus for production use and for
long-term-stable operating systems.

In the old stable branch 1.10.x, this has been fixed in version 1.10.30.
This branch is maintained for the benefit of older long-term-stable
operating systems such as Debian 9, and will reach end-of-life soon[2].

Older stable branches such as 1.8.x have reached end-of-life and will
not receive upstream releases to fix this. Upgrading is recommended.
However, the patch used in supported versions[1] is believed to be
suitable for third-party backports to older releases.

We have received a report[3] that in at least OmniOS (a
Solaris/OpenSolaris/illumos derivative), the solution that was committed
causes a regression due to differences in the behaviour of SCM_RIGHTS
between Linux and OmniOS. This is under investigation. On non-Linux
operating systems such as BSD and Solaris, before deploying a fixed
version, package maintainers should try running the 'test-fdpass'
test case to confirm whether their OS kernel has the Linux-like or
OmniOS-like behaviour. This test-case requires building dbus with the
--enable-modular-tests configure option, with GLib development files
available; GLib is only used for the automated tests, and is not a
dependency of the parts of dbus used in production.


Simon McVittie, Collabora Ltd. / Debian
dbus security contact:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.