Incomplete fix for CVE-2024-1929
The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a
local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started.
The dnf5 library code does not check whether non-root users control the directory in question.
On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file
that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.
The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics
are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.
Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify
a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.
References
Configurations
No configuration.
History
21 Nov 2024, 09:10
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.openwall.com/lists/oss-security/2024/04/03/5 - |
12 Jul 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker. |
08 May 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
08 May 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-05-08 02:15
Updated : 2024-11-21 09:10
NVD link : CVE-2024-2746
Mitre link : CVE-2024-2746
CVE.ORG link : CVE-2024-2746
JSON object : View
Products Affected
No product.
CWE
CWE-20
Improper Input Validation