Bug 663673 (CVE-2010-4352) - CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive number of nested variants
Summary: CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive numb...
Alias: CVE-2010-4352
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 663744 684850 684851 684852 684853 844272
TreeView+ depends on / blocked
Reported: 2010-12-16 15:27 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-29 13:31:58 UTC

Attachments (Terms of Use)
updated rhel5 backport (8.92 KB, patch)
2011-03-18 15:52 UTC, Colin Walters
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0376 0 normal SHIPPED_LIVE Moderate: dbus security update 2011-03-22 20:50:31 UTC

Description Jan Lieskovsky 2010-12-16 15:27:10 UTC
A stack overflow flaw was found in the way the D-BUS message
bus service / messaging facility validated messages with
excessive number of nested variants. A local, authenticated
user could use this flaw to cause dbus daemon to crash
(denial of service) via a specially-crafted message sent
to the system bus.
[1] http://www.remlab.net/op/dbus-variant-recursion.shtml
Upstream bug report:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321        
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/16/3

Rémi Denis-Courmont

Comment 1 Jan Lieskovsky 2010-12-16 15:30:03 UTC
This issue did NOT affect the version of the dbus package,
as shipped with Red Hat Enterprise Linux 4.


This issue affects the versions of the dbus package, as shipped
with Red Hat Enterprise Linux 5 and 6.


This issue affects the versions of the dbus package, as shipped
with Fedora release of 13 and 14.

Comment 3 Jan Lieskovsky 2010-12-16 18:12:36 UTC
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 663744]

Comment 5 Jan Lieskovsky 2010-12-17 10:12:01 UTC
The CVE identifier of CVE-2010-4352 has been assigned to this issue.

Comment 10 Jan Lieskovsky 2010-12-21 09:55:14 UTC
Issue fixed in upstream dbus-v1.4.1 version:

From the NEWS:

D-Bus 1.4.1 (20 December 2010)

 • Fix for CVE-2010-4352: sending messages with excessively-nested variants can
   crash the bus. The existing restriction to 64-levels of nesting previously
   only applied to the static type signature; now it also applies to dynamic
   nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
 • OS X portability fixes, including launchd support.
 • Windows autolaunch improvements.
 • Various bug fixes

Relevant upstream changeset:

Comment 23 Colin Walters 2011-03-18 15:52:14 UTC
Created attachment 486272 [details]
updated rhel5 backport

This patch is what I had locally for RHEL5.

Comment 24 errata-xmlrpc 2011-03-22 20:50:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:0376 https://rhn.redhat.com/errata/RHSA-2011-0376.html

Note You need to log in before you can comment on or make changes to this bug.