CVE-2020-12049

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

References

Affected packages

Git / gitlab.freedesktop.org/dbus/dbus

Affected ranges

Type: GIT
Repo: https://gitlab.freedesktop.org/dbus/dbus
Events: Introduced

acf0eb52ad7ca4d1af9a54c67973f142e96d2764

Fixed

a0926ef86f413f18202ffa19cb1433b6ba00ac36

Affected versions

dbus-1.*

dbus-1.10.0

dbus-1.10.10

dbus-1.10.12

dbus-1.10.14

dbus-1.10.16

dbus-1.10.18

dbus-1.10.2

dbus-1.10.20

dbus-1.10.22

dbus-1.10.4

dbus-1.10.6

dbus-1.10.8

dbus-1.11.0

dbus-1.11.10

dbus-1.11.12

dbus-1.11.14

dbus-1.11.16

dbus-1.11.18

dbus-1.11.2

dbus-1.11.20

dbus-1.11.22

dbus-1.11.4

dbus-1.11.6

dbus-1.11.8

dbus-1.12.0

dbus-1.12.10

dbus-1.12.12

dbus-1.12.14

dbus-1.12.16

dbus-1.12.2

dbus-1.12.4

dbus-1.12.6

dbus-1.12.8

dbus-1.2.18

dbus-1.2.20

dbus-1.2.22

dbus-1.2.24

dbus-1.3.0

dbus-1.3.1

dbus-1.4.0

dbus-1.4.1

dbus-1.4.10

dbus-1.4.12

dbus-1.4.14

dbus-1.4.16

dbus-1.4.18

dbus-1.4.20

dbus-1.4.4

dbus-1.4.6

dbus-1.4.8

dbus-1.5.0

dbus-1.5.10

dbus-1.5.12

dbus-1.5.2

dbus-1.5.4

dbus-1.5.6

dbus-1.5.8

dbus-1.6.0

dbus-1.6.10

dbus-1.6.12

dbus-1.6.14

dbus-1.6.16

dbus-1.6.18

dbus-1.6.2

dbus-1.6.4

dbus-1.6.6

dbus-1.6.8

dbus-1.7.0

dbus-1.7.10

dbus-1.7.2

dbus-1.7.4

dbus-1.7.6

dbus-1.7.8

dbus-1.8.0

dbus-1.8.10

dbus-1.8.12

dbus-1.8.14

dbus-1.8.16

dbus-1.8.18

dbus-1.8.2

dbus-1.8.20

dbus-1.8.4

dbus-1.8.6

dbus-1.8.8

dbus-1.9.0

dbus-1.9.10

dbus-1.9.12

dbus-1.9.14

dbus-1.9.16

dbus-1.9.18

dbus-1.9.2

dbus-1.9.20

dbus-1.9.4

dbus-1.9.6

dbus-1.9.8