A stack overflow flaw was found in the way the D-BUS message bus service / messaging facility validated messages with excessive number of nested variants. A local, authenticated user could use this flaw to cause dbus daemon to crash (denial of service) via a specially-crafted message sent to the system bus. References: [1] http://www.remlab.net/op/dbus-variant-recursion.shtml Upstream bug report: [2] https://bugs.freedesktop.org/show_bug.cgi?id=32321 CVE Request: [3] http://www.openwall.com/lists/oss-security/2010/12/16/3 Credit: Rémi Denis-Courmont
This issue did NOT affect the version of the dbus package, as shipped with Red Hat Enterprise Linux 4. -- This issue affects the versions of the dbus package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the dbus package, as shipped with Fedora release of 13 and 14.
Created dbus tracking bugs for this issue Affects: fedora-all [bug 663744]
The CVE identifier of CVE-2010-4352 has been assigned to this issue.
Issue fixed in upstream dbus-v1.4.1 version: -------------------------------------------- https://bugs.freedesktop.org/show_bug.cgi?id=32321#c12 From the NEWS: -------------- D-Bus 1.4.1 (20 December 2010) == • Fix for CVE-2010-4352: sending messages with excessively-nested variants can crash the bus. The existing restriction to 64-levels of nesting previously only applied to the static type signature; now it also applies to dynamic nesting using variants. Thanks to Rémi Denis-Courmont for discoving this issue. • OS X portability fixes, including launchd support. • Windows autolaunch improvements. • Various bug fixes Relevant upstream changeset: ---------------------------- http://cgit.freedesktop.org/dbus/dbus/commit/?id=7d65a3a6ed8815e34a99c680ac3869fde49dbbd4
Created attachment 486272 [details] updated rhel5 backport This patch is what I had locally for RHEL5.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2011:0376 https://rhn.redhat.com/errata/RHSA-2011-0376.html