dbus variant recursion crash

Bug #688992 reported by Rémi Denis-Courmont on 2010-12-11
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
D-Bus
Fix Released
Undecided
Unassigned
dbus (Ubuntu)
Medium
Unassigned
Hardy
Medium
Jamie Strandboge
Karmic
Medium
Jamie Strandboge
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge
Natty
Medium
Unassigned

Bug Description

Binary package hint: dbus

The bus daemon can be crashed by sending a valid D-Bus message with lots of nested variants.

Further informations are available here: http://www.remlab.net/op/dbus-variant-recursion.shtml
and in the upstream bug.

visibility: private → public
Jamie Strandboge (jdstrand) wrote :

From oss-security:

"just FYI, particular bugzilla entry now opened:
[1] https://bugs.freedesktop.org/show_bug.cgi?id=32321

Issue fixed in dbus-v1.4.1 release:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321#c12

And relevant changeset (from c#13):
[3] http://cgit.freedesktop.org/dbus/dbus/commit/?id=7d65a3a6ed8815e34a99c680ac3869fde49dbbd4"

Changed in dbus (Ubuntu):
importance: Undecided → Low
Changed in dbus (Ubuntu):
status: New → Confirmed
Changed in dbus (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu):
status: Confirmed → In Progress
Changed in dbus:
importance: Unknown → Undecided
status: Unknown → New
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

This is fixed in 1.4.1-0ubuntu2 in Natty.

Changed in dbus (Ubuntu Natty):
status: In Progress → Fix Released
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in dbus (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Natty):
importance: Low → Medium
Changed in dbus (Ubuntu Maverick):
importance: Undecided → Medium
status: New → In Progress
Changed in dbus (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Uploaded patched packages to the security PPA.

Changed in dbus (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in dbus (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in dbus (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in dbus (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.4.0-0ubuntu1.1

---------------
dbus (1.4.0-0ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants.
    - CVE-2010-4352
    - LP: #688992
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 14:10:39 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.2.16-2ubuntu4.1

---------------
dbus (1.2.16-2ubuntu4.1) lucid-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants. Backported from upstream.
    - CVE-2010-4352
    - LP: #688992
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 14:33:58 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.2.16-0ubuntu9.1

---------------
dbus (1.2.16-0ubuntu9.1) karmic-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants. Backported from upstream.
    - CVE-2010-4352
    - LP: #688992
  * debian/control: Build-Depends on libexpat1-dev instead of libexpat-dev
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 14:37:19 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.1.20-1ubuntu3.4

---------------
dbus (1.1.20-1ubuntu3.4) hardy-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/84-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants. Backported from upstream.
    - CVE-2010-4352
    - LP: #688992
  * debian/control: Build-Depends on libexpat1-dev instead of libexpat-dev
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 15:04:29 -0600

Changed in dbus (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in dbus (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in dbus (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in dbus (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.