Bugzilla – Bug 1172505
VUL-1: CVE-2020-12049: dbus-1: truncated messages lead to resource exhaustion
Last modified: 2024-07-09 10:03:43 UTC
CVE-2020-12049 In D-Bus, MSG_CTRUNC indicates that we have received fewer fds that we should have done because the buffer was too small, but we were treating it as though it indicated that we received *no* fds. If we received any, we still have to make sure we close them, otherwise they will be leaked. On the system bus, if an attacker can induce us to leak fds in this way, that's a local denial of service via resource exhaustion. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12049 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12049.html https://security-tracker.debian.org/tracker/CVE-2020-12049 https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748
SUSE:SLE-11-SP1:Update Not affected [1] SUSE:SLE-12:Update Affected SUSE:SLE-12-SP3:Update Affected SUSE:SLE-12-SP5:Update Affected SUSE:SLE-15-SP1:Update Affected SUSE:SLE-15:Update Affected [1] The file descriptor leak was introduced by commit 4c4db7f9da1aa29c264a9f9d7d9fb1d774e28ee1
SUSE-SU-2021:2424-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1172505,1187105 CVE References: CVE-2020-12049,CVE-2020-35512 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): dbus-1-1.8.22-35.2, dbus-1-x11-1.8.22-35.2 SUSE Linux Enterprise Server 12-SP5 (src): dbus-1-1.8.22-35.2, dbus-1-x11-1.8.22-35.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2470-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172505 CVE References: CVE-2020-12049 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): dbus-1-1.12.2-3.16.1, dbus-1-x11-1.12.2-3.16.1 SUSE Linux Enterprise Server 15-LTSS (src): dbus-1-1.12.2-3.16.1, dbus-1-x11-1.12.2-3.16.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): dbus-1-1.12.2-3.16.1, dbus-1-x11-1.12.2-3.16.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): dbus-1-1.12.2-3.16.1, dbus-1-x11-1.12.2-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2590-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1172505,1187105 CVE References: CVE-2020-12049,CVE-2020-35512 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE OpenStack Cloud Crowbar 8 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE OpenStack Cloud 9 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE OpenStack Cloud 8 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 HPE Helion Openstack 8 (src): dbus-1-1.8.22-29.21.1, dbus-1-x11-1.8.22-29.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
# maintenance_jira_update_notice openSUSE-SU-2021:2810-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172505 CVE References: CVE-2020-12049 JIRA References: Sources used: openSUSE Leap 15.3 (src): dbus-1-1.12.2-8.11.2, dbus-1-x11-1.12.2-8.11.1
# maintenance_jira_update_notice SUSE-SU-2021:2810-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172505 CVE References: CVE-2020-12049 JIRA References: Sources used: SUSE MicroOS 5.0 (src): dbus-1-1.12.2-8.11.2 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): dbus-1-1.12.2-8.11.2, dbus-1-x11-1.12.2-8.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): dbus-1-1.12.2-8.11.2, dbus-1-x11-1.12.2-8.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice openSUSE-SU-2021:1204-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172505 CVE References: CVE-2020-12049 JIRA References: Sources used: openSUSE Leap 15.2 (src): dbus-1-1.12.2-lp152.6.6.1, dbus-1-x11-1.12.2-lp152.6.6.1
this should now be in all streams
Released