This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 663673 - (CVE-2010-4352) CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive number of nested variants
CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive numb...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20101211,reported=20101215,sou...
: Security
Depends On: 663744 684850 684851 684852 684853 844272
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-16 10:27 EST by Jan Lieskovsky
Modified: 2015-11-24 09:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 09:31:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
updated rhel5 backport (8.92 KB, patch)
2011-03-18 11:52 EDT, Colin Walters
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2010-12-16 10:27:10 EST
A stack overflow flaw was found in the way the D-BUS message
bus service / messaging facility validated messages with
excessive number of nested variants. A local, authenticated
user could use this flaw to cause dbus daemon to crash
(denial of service) via a specially-crafted message sent
to the system bus.
 
References:
[1] http://www.remlab.net/op/dbus-variant-recursion.shtml
   
Upstream bug report:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321        
 
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/16/3

Credit:
Rémi Denis-Courmont
Comment 1 Jan Lieskovsky 2010-12-16 10:30:03 EST
This issue did NOT affect the version of the dbus package,
as shipped with Red Hat Enterprise Linux 4.

--

This issue affects the versions of the dbus package, as shipped
with Red Hat Enterprise Linux 5 and 6.


--

This issue affects the versions of the dbus package, as shipped
with Fedora release of 13 and 14.
Comment 3 Jan Lieskovsky 2010-12-16 13:12:36 EST
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 663744]
Comment 5 Jan Lieskovsky 2010-12-17 05:12:01 EST
The CVE identifier of CVE-2010-4352 has been assigned to this issue.
Comment 10 Jan Lieskovsky 2010-12-21 04:55:14 EST
Issue fixed in upstream dbus-v1.4.1 version:
--------------------------------------------
https://bugs.freedesktop.org/show_bug.cgi?id=32321#c12

From the NEWS:
--------------

D-Bus 1.4.1 (20 December 2010)
==

 • Fix for CVE-2010-4352: sending messages with excessively-nested variants can
   crash the bus. The existing restriction to 64-levels of nesting previously
   only applied to the static type signature; now it also applies to dynamic
   nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
   issue.
 • OS X portability fixes, including launchd support.
 • Windows autolaunch improvements.
 • Various bug fixes

Relevant upstream changeset:
----------------------------
http://cgit.freedesktop.org/dbus/dbus/commit/?id=7d65a3a6ed8815e34a99c680ac3869fde49dbbd4
Comment 23 Colin Walters 2011-03-18 11:52:14 EDT
Created attachment 486272 [details]
updated rhel5 backport

This patch is what I had locally for RHEL5.
Comment 24 errata-xmlrpc 2011-03-22 16:50:40 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:0376 https://rhn.redhat.com/errata/RHSA-2011-0376.html

Note You need to log in before you can comment on or make changes to this bug.