CVE-2024-2746 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-2746 at MITRE

Description

Incomplete fix for CVE-2024-1929

The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a
local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started.

The dnf5 library code does not check whether non-root users control the directory in question.

On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file
that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.
The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics
are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.

Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify
a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

SUSE Bugzilla entry: 1218327 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.

Product(s)	Source package	State
Products under general support and receiving all security fixes.
SUSE Linux Enterprise Server 16.1	polkit-default-privs	Affected
SUSE Linux Enterprise Server for SAP applications 16.1	polkit-default-privs	Affected

SUSE Timeline for this CVE

CVE page created: Thu Dec 21 23:30:04 2023
CVE page last modified: Thu Feb 26 15:12:47 2026