Announcing dbus 1.12.18 security update

Simon McVittie smcv at collabora.com
Tue Jun 2 20:02:13 UTC 2020


dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

This is a stable-branch release, including a local denial of service fix.
Upgrading is recommended, unless you are following the older stable
branch 1.10.x.

<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz.asc>
git tag: dbus-1.12.18

The “telepathic vines” release.

Denial of service fixes:

• CVE-2020-12049: If a message contains more file descriptors than can
  be sent, close those that did get through before reporting error.
  Previously, a local attacker could cause the system dbus-daemon (or
  another system service with its own DBusServer) to run out of file
  descriptors, by repeatedly connecting to the server and sending fds that
  would get leaked.
  Thanks to Kevin Backhouse of GitHub Security Lab.
  (dbus#294, GHSL-2020-057; Simon McVittie)

Other fixes:

• Fix a crash when the dbus-daemon is terminated while one or more
  monitors are active (dbus#291, dbus!140; Simon McVittie)

• The dbus-send(1) man page now documents --bus and --peer instead of
  the old --address synonym for --peer, which has been deprecated since
  the introduction of --bus and --peer in 1.7.6
  (fd.o #48816, dbus!115; Chris Morin)

• Fix a wrong environment variable name in dbus-daemon(1)
  (dbus#275, dbus!122; Mubin, Philip Withnall)

• Fix formatting of dbus_message_append_args example
  (dbus!126, Felipe Franciosi)

• Avoid a test failure on Linux when built in a container as uid 0, but
  without the necessary privileges to increase resource limits
  (dbus!58, Debian #908092; Simon McVittie)

• When building with CMake, cope with libX11 in a non-standard location
  (dbus!129, Tuomo Rinne)

-- 
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers


More information about the dbus mailing list