Bug 663673 (CVE-2010-4352) - CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive number of nested variants
Summary: CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive numb...
Status: CLOSED ERRATA
Alias: CVE-2010-4352
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20101211,reported=20101215,sou...
Keywords: Security
Depends On: 663744 684850 684851 684852 684853 844272
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-16 15:27 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:42 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-29 13:31:58 UTC


Attachments (Terms of Use)
updated rhel5 backport (8.92 KB, patch)
2011-03-18 15:52 UTC, Colin Walters
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0376 normal SHIPPED_LIVE Moderate: dbus security update 2011-03-22 20:50:31 UTC

Description Jan Lieskovsky 2010-12-16 15:27:10 UTC
A stack overflow flaw was found in the way the D-BUS message
bus service / messaging facility validated messages with
excessive number of nested variants. A local, authenticated
user could use this flaw to cause dbus daemon to crash
(denial of service) via a specially-crafted message sent
to the system bus.
 
References:
[1] http://www.remlab.net/op/dbus-variant-recursion.shtml
   
Upstream bug report:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321        
 
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/16/3

Credit:
Rémi Denis-Courmont

Comment 1 Jan Lieskovsky 2010-12-16 15:30:03 UTC
This issue did NOT affect the version of the dbus package,
as shipped with Red Hat Enterprise Linux 4.

--

This issue affects the versions of the dbus package, as shipped
with Red Hat Enterprise Linux 5 and 6.


--

This issue affects the versions of the dbus package, as shipped
with Fedora release of 13 and 14.

Comment 3 Jan Lieskovsky 2010-12-16 18:12:36 UTC
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 663744]

Comment 5 Jan Lieskovsky 2010-12-17 10:12:01 UTC
The CVE identifier of CVE-2010-4352 has been assigned to this issue.

Comment 10 Jan Lieskovsky 2010-12-21 09:55:14 UTC
Issue fixed in upstream dbus-v1.4.1 version:
--------------------------------------------
https://bugs.freedesktop.org/show_bug.cgi?id=32321#c12

From the NEWS:
--------------

D-Bus 1.4.1 (20 December 2010)
==

 • Fix for CVE-2010-4352: sending messages with excessively-nested variants can
   crash the bus. The existing restriction to 64-levels of nesting previously
   only applied to the static type signature; now it also applies to dynamic
   nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
   issue.
 • OS X portability fixes, including launchd support.
 • Windows autolaunch improvements.
 • Various bug fixes

Relevant upstream changeset:
----------------------------
http://cgit.freedesktop.org/dbus/dbus/commit/?id=7d65a3a6ed8815e34a99c680ac3869fde49dbbd4

Comment 23 Colin Walters 2011-03-18 15:52:14 UTC
Created attachment 486272 [details]
updated rhel5 backport

This patch is what I had locally for RHEL5.

Comment 24 errata-xmlrpc 2011-03-22 20:50:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:0376 https://rhn.redhat.com/errata/RHSA-2011-0376.html


Note You need to log in before you can comment on or make changes to this bug.