Red Hat Bugzilla – Bug 218055
CVE-2006-6107 D-Bus denial of service
Last modified: 2013-03-05 22:48:24 EST
Kimmo Hämäläinen reported a DoS flaw in D-Bus to the freedesktop.org
bugzilla. To quote his bug:
I found a nasty bug from match_rule_equal() that can cause matches
to be removed from another connections (thanks goes to other guys
for finding reproducable use case for the bug).
This flaw can cause a local user to disable the the ability of another
process to receive certain messages. This flaw does not contain any
potential for arbitrary code execution. Here is a more details description
We don't have the software public yet, but the use case was the
following. There are three processes A, B, and C. All of them add
the same match (same value). A is started first, then B, and lastly
C. Now, B and C are closed: if B is closed before C, A's match is
removed; but if C is closed before B, A's match is not removed (no
buggy behaviour). (B and C call dbus_bus_remove_match on exit.)
What's the upstream bug reference?
I'm adding a reference to the upstream bug. This is going to affect REHL5 also,
but I won't file a bug for that until after the embargo (too many embargoed bugs
Please add me (email@example.com) to the upstream bug and/or post the patch here.
Then I can get packages built. Thanks.
OK, You're added to the upstream bug.
Upstream patch is for D-Bus 0.61 - RHEL-4 ships 0.22. Let me ask upstream.
This will be fixed in RHSA-2006:0757
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.