Bug 663673 - (CVE-2010-4352) CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive number of nested variants
CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive numb...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 663744 684850 684851 684852 684853 844272
  Show dependency treegraph
Reported: 2010-12-16 10:27 EST by Jan Lieskovsky
Modified: 2015-11-24 09:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-29 09:31:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
updated rhel5 backport (8.92 KB, patch)
2011-03-18 11:52 EDT, Colin Walters
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2010-12-16 10:27:10 EST
A stack overflow flaw was found in the way the D-BUS message
bus service / messaging facility validated messages with
excessive number of nested variants. A local, authenticated
user could use this flaw to cause dbus daemon to crash
(denial of service) via a specially-crafted message sent
to the system bus.
[1] http://www.remlab.net/op/dbus-variant-recursion.shtml
Upstream bug report:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321        
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/16/3

Rémi Denis-Courmont
Comment 1 Jan Lieskovsky 2010-12-16 10:30:03 EST
This issue did NOT affect the version of the dbus package,
as shipped with Red Hat Enterprise Linux 4.


This issue affects the versions of the dbus package, as shipped
with Red Hat Enterprise Linux 5 and 6.


This issue affects the versions of the dbus package, as shipped
with Fedora release of 13 and 14.
Comment 3 Jan Lieskovsky 2010-12-16 13:12:36 EST
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 663744]
Comment 5 Jan Lieskovsky 2010-12-17 05:12:01 EST
The CVE identifier of CVE-2010-4352 has been assigned to this issue.
Comment 10 Jan Lieskovsky 2010-12-21 04:55:14 EST
Issue fixed in upstream dbus-v1.4.1 version:

From the NEWS:

D-Bus 1.4.1 (20 December 2010)

 • Fix for CVE-2010-4352: sending messages with excessively-nested variants can
   crash the bus. The existing restriction to 64-levels of nesting previously
   only applied to the static type signature; now it also applies to dynamic
   nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
 • OS X portability fixes, including launchd support.
 • Windows autolaunch improvements.
 • Various bug fixes

Relevant upstream changeset:
Comment 23 Colin Walters 2011-03-18 11:52:14 EDT
Created attachment 486272 [details]
updated rhel5 backport

This patch is what I had locally for RHEL5.
Comment 24 errata-xmlrpc 2011-03-22 16:50:40 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:0376 https://rhn.redhat.com/errata/RHSA-2011-0376.html

Note You need to log in before you can comment on or make changes to this bug.