Bug 663673 (CVE-2010-4352)

Summary: CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive number of nested variants
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcbw, lpoetter, mclasen, rhughes, vkrizan, walters, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:31:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 663744, 684850, 684851, 684852, 684853, 844272    
Bug Blocks:    
Attachments:
Description Flags
updated rhel5 backport none

Description Jan Lieskovsky 2010-12-16 15:27:10 UTC 
A stack overflow flaw was found in the way the D-BUS message
bus service / messaging facility validated messages with
excessive number of nested variants. A local, authenticated
user could use this flaw to cause dbus daemon to crash
(denial of service) via a specially-crafted message sent
to the system bus.
 
References:
[1] http://www.remlab.net/op/dbus-variant-recursion.shtml
   
Upstream bug report:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321        
 
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/16/3

Credit:
Rémi Denis-Courmont
Comment 1 Jan Lieskovsky 2010-12-16 15:30:03 UTC 
This issue did NOT affect the version of the dbus package,
as shipped with Red Hat Enterprise Linux 4.

--

This issue affects the versions of the dbus package, as shipped
with Red Hat Enterprise Linux 5 and 6.


--

This issue affects the versions of the dbus package, as shipped
with Fedora release of 13 and 14.
Comment 3 Jan Lieskovsky 2010-12-16 18:12:36 UTC 
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 663744]
Comment 5 Jan Lieskovsky 2010-12-17 10:12:01 UTC 
The CVE identifier of CVE-2010-4352 has been assigned to this issue.
Comment 10 Jan Lieskovsky 2010-12-21 09:55:14 UTC 
Issue fixed in upstream dbus-v1.4.1 version:
--------------------------------------------
https://bugs.freedesktop.org/show_bug.cgi?id=32321#c12

From the NEWS:
--------------

D-Bus 1.4.1 (20 December 2010)
==

 • Fix for CVE-2010-4352: sending messages with excessively-nested variants can
   crash the bus. The existing restriction to 64-levels of nesting previously
   only applied to the static type signature; now it also applies to dynamic
   nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
   issue.
 • OS X portability fixes, including launchd support.
 • Windows autolaunch improvements.
 • Various bug fixes

Relevant upstream changeset:
----------------------------
http://cgit.freedesktop.org/dbus/dbus/commit/?id=7d65a3a6ed8815e34a99c680ac3869fde49dbbd4
Comment 23 Colin Walters 2011-03-18 15:52:14 UTC 
Created attachment 486272 [details]
updated rhel5 backport

This patch is what I had locally for RHEL5.
Comment 24 errata-xmlrpc 2011-03-22 20:50:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:0376 https://rhn.redhat.com/errata/RHSA-2011-0376.html