[Bug 2061155] Re: Use-after-close vulnerability in dbus-broker 35. Please upgrade package to 36
Luca Boccassi
2061155 at bugs.launchpad.net
Tue May 6 14:13:22 UTC 2025
A backport is available on Salsa, tested and ready to be source-uploaded
by a sponsor:
https://salsa.debian.org/bluca/dbus-
broker/-/tree/ubuntu/noble?ref_type=heads
Note that it also contains a fix for
https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2110040
** Also affects: dbus-broker (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: dbus-broker (Ubuntu Questing)
Importance: Undecided
Status: New
** Changed in: dbus-broker (Ubuntu Questing)
Status: New => Fix Released
** Also affects: dbus-broker (Ubuntu Oracular)
Importance: Undecided
Status: New
** Also affects: dbus-broker (Ubuntu Plucky)
Importance: Undecided
Status: New
** Changed in: dbus-broker (Ubuntu Plucky)
Status: New => Fix Released
** Changed in: dbus-broker (Ubuntu Oracular)
Status: New => Fix Released
** Changed in: dbus-broker (Ubuntu Noble)
Status: New => Confirmed
** Description changed:
+ [Original Description/Impact]
+
Per https://github.com/bus1/dbus-broker/releases/tag/v36 :
# dbus-broker - Linux D-Bus Message Broker
## CHANGES WITH 36:
- * Fix possible file-descriptor use-after-close, which can lead to
- broker termination or disclosure of internal file-desciptors to
- clients.
+ * Fix possible file-descriptor use-after-close, which can lead to
+ broker termination or disclosure of internal file-desciptors to
+ clients.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: dbus-broker 35-2
ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1
Uname: Linux 6.8.0-22-generic x86_64
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Apr 12 11:24:50 2024
InstallationDate: Installed on 2024-04-08 (4 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240407.2)
ProcEnviron:
- LANG=en_US.UTF-8
- PATH=(custom, no user)
- SHELL=/bin/bash
- TERM=xterm-256color
- XDG_RUNTIME_DIR=<set>
+ LANG=en_US.UTF-8
+ PATH=(custom, no user)
+ SHELL=/bin/bash
+ TERM=xterm-256color
+ XDG_RUNTIME_DIR=<set>
SourcePackage: dbus-broker
UpgradeStatus: No upgrade log present (probably fresh install)
+
+ This is a potential issue, that hasn't been demonstrated in practice,
+ but it would be good to fix it in the noble LTS release anyway, just in
+ case. The fix has been out and in multiple Ubuntu releases including
+ Oracular and Plucky, and no issues have been reported.
+
+ [Test Plan]
+
+ Build and install the patched dbus-broker in a container and check that
+ it doesn't break:
+
+ Noble:
+
+ root at localhost:/tmp# apt install ./dbus-broker_35-2ubuntu0.1_amd64.deb
+ Reading package lists... Done
+ Building dependency tree... Done
+ Reading state information... Done
+ Note, selecting 'dbus-broker' instead of './dbus-broker_35-2ubuntu0.1_amd64.deb'
+ The following NEW packages will be installed:
+ dbus-broker
+ 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
+ Need to get 0 B/169 kB of archives.
+ After this operation, 430 kB of additional disk space will be used.
+ Get:1 /tmp/dbus-broker_35-2ubuntu0.1_amd64.deb dbus-broker amd64 35-2ubuntu0.1 [169 kB]
+ Selecting previously unselected package dbus-broker.
+ (Reading database ... 27500 files and directories currently installed.)
+ Preparing to unpack .../dbus-broker_35-2ubuntu0.1_amd64.deb ...
+ Unpacking dbus-broker (35-2ubuntu0.1) ...
+ Setting up dbus-broker (35-2ubuntu0.1) ...
+ Replacing the running dbus-daemon with dbus-broker requires a reboot:
+ please reboot the system when convenient.
+ Created symlink /etc/systemd/user/dbus.service → /usr/lib/systemd/user/dbus-broker.service.
+ Created symlink /etc/systemd/system/dbus.service → /usr/lib/systemd/system/dbus-broker.service.
+ Processing triggers for man-db (2.12.0-4build2) ...
+ Processing triggers for systemd (255.4-1ubuntu8) ...
+ root at localhost:/tmp# systemctl daemon-reload
+ root at localhost:/tmp# systemctl restart dbus-broker
+ root at localhost:/tmp# systemctl status dbus-broker
+ ● dbus-broker.service - D-Bus System Message Bus
+ Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; preset: enabled)
+ Active: active (running) since Tue 2025-05-06 15:00:08 BST; 3s ago
+ TriggeredBy: ● dbus.socket
+ Docs: man:dbus-broker-launch(1)
+ Main PID: 2458 (dbus-broker-lau)
+ Tasks: 2 (limit: 66786)
+ Memory: 1.3M (peak: 2.1M)
+ CPU: 10ms
+ CGroup: /system.slice/dbus-broker.service
+ ├─2458 /usr/bin/dbus-broker-launch --scope system --audit
+ └─2459 dbus-broker --log 4 --controller 9 --machine-id b70250626e354e8481fe3ed01e2a769f --max-bytes 5368>
+
+ May 06 15:00:08 localhost systemd[1]: Starting dbus-broker.service - D-Bus System Message Bus...
+ May 06 15:00:08 localhost dbus-broker-launch[2458]: Kernel is missing AppArmor DBus support.
+ May 06 15:00:08 localhost systemd[1]: Started dbus-broker.service - D-Bus System Message Bus.
+ May 06 15:00:08 localhost dbus-broker-launch[2458]: Ready
+ root at localhost:/tmp# cat /etc/os-release
+ PRETTY_NAME="Ubuntu 24.04 LTS"
+ NAME="Ubuntu"
+ VERSION_ID="24.04"
+ VERSION="24.04 LTS (Noble Numbat)"
+ VERSION_CODENAME=noble
+ ID=ubuntu
+ ID_LIKE=debian
+ HOME_URL="https://www.ubuntu.com/"
+ SUPPORT_URL="https://help.ubuntu.com/"
+ BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+ PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+ UBUNTU_CODENAME=noble
+ LOGO=ubuntu-logo
+
+
+ [Where problems could occur]
+
+ File descriptor handling is pretty central to D-Bus, so if a problem
+ occurred there the system functionality would degrade and probably stop
+ working entirely, as clients would no longer be able to successfully
+ pass FDs via D-Bus messages, which is relied upon heavily by components
+ such as systemd.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus-broker in Ubuntu.
https://bugs.launchpad.net/bugs/2061155
Title:
Use-after-close vulnerability in dbus-broker 35. Please upgrade
package to 36
Status in dbus-broker package in Ubuntu:
Fix Released
Status in dbus-broker source package in Noble:
Confirmed
Status in dbus-broker source package in Oracular:
Fix Released
Status in dbus-broker source package in Plucky:
Fix Released
Status in dbus-broker source package in Questing:
Fix Released
Bug description:
[Original Description/Impact]
Per https://github.com/bus1/dbus-broker/releases/tag/v36 :
# dbus-broker - Linux D-Bus Message Broker
## CHANGES WITH 36:
* Fix possible file-descriptor use-after-close, which can lead to
broker termination or disclosure of internal file-desciptors to
clients.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: dbus-broker 35-2
ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1
Uname: Linux 6.8.0-22-generic x86_64
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Apr 12 11:24:50 2024
InstallationDate: Installed on 2024-04-08 (4 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240407.2)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
SourcePackage: dbus-broker
UpgradeStatus: No upgrade log present (probably fresh install)
This is a potential issue, that hasn't been demonstrated in practice,
but it would be good to fix it in the noble LTS release anyway, just
in case. The fix has been out and in multiple Ubuntu releases
including Oracular and Plucky, and no issues have been reported.
[Test Plan]
Build and install the patched dbus-broker in a container and check
that it doesn't break:
Noble:
root at localhost:/tmp# apt install ./dbus-broker_35-2ubuntu0.1_amd64.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'dbus-broker' instead of './dbus-broker_35-2ubuntu0.1_amd64.deb'
The following NEW packages will be installed:
dbus-broker
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/169 kB of archives.
After this operation, 430 kB of additional disk space will be used.
Get:1 /tmp/dbus-broker_35-2ubuntu0.1_amd64.deb dbus-broker amd64 35-2ubuntu0.1 [169 kB]
Selecting previously unselected package dbus-broker.
(Reading database ... 27500 files and directories currently installed.)
Preparing to unpack .../dbus-broker_35-2ubuntu0.1_amd64.deb ...
Unpacking dbus-broker (35-2ubuntu0.1) ...
Setting up dbus-broker (35-2ubuntu0.1) ...
Replacing the running dbus-daemon with dbus-broker requires a reboot:
please reboot the system when convenient.
Created symlink /etc/systemd/user/dbus.service → /usr/lib/systemd/user/dbus-broker.service.
Created symlink /etc/systemd/system/dbus.service → /usr/lib/systemd/system/dbus-broker.service.
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for systemd (255.4-1ubuntu8) ...
root at localhost:/tmp# systemctl daemon-reload
root at localhost:/tmp# systemctl restart dbus-broker
root at localhost:/tmp# systemctl status dbus-broker
● dbus-broker.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-05-06 15:00:08 BST; 3s ago
TriggeredBy: ● dbus.socket
Docs: man:dbus-broker-launch(1)
Main PID: 2458 (dbus-broker-lau)
Tasks: 2 (limit: 66786)
Memory: 1.3M (peak: 2.1M)
CPU: 10ms
CGroup: /system.slice/dbus-broker.service
├─2458 /usr/bin/dbus-broker-launch --scope system --audit
└─2459 dbus-broker --log 4 --controller 9 --machine-id b70250626e354e8481fe3ed01e2a769f --max-bytes 5368>
May 06 15:00:08 localhost systemd[1]: Starting dbus-broker.service - D-Bus System Message Bus...
May 06 15:00:08 localhost dbus-broker-launch[2458]: Kernel is missing AppArmor DBus support.
May 06 15:00:08 localhost systemd[1]: Started dbus-broker.service - D-Bus System Message Bus.
May 06 15:00:08 localhost dbus-broker-launch[2458]: Ready
root at localhost:/tmp# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
[Where problems could occur]
File descriptor handling is pretty central to D-Bus, so if a problem
occurred there the system functionality would degrade and probably
stop working entirely, as clients would no longer be able to
successfully pass FDs via D-Bus messages, which is relied upon heavily
by components such as systemd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2061155/+subscriptions
More information about the foundations-bugs
mailing list