CVE-2024-2746

Incomplete fix for CVE-2024-1929<br /> <br /> The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a<br /> local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started.<br /> <br /> The dnf5 library code does not check whether non-root users control the directory in question. <br /> <br /> On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file<br /> that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.<br /> The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics<br /> are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.<br /> <br /> Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify<br /> a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.