CVE-2024-2746 – Incomplete fix for CVE-2024-1929

https://notcve.org/view.php?id=CVE-2024-2746

08 May 2024 — Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate ... • https://github.com/xct/CVE-2024-27460 • CWE-20: Improper Input Validation •