Ubuntu
dbus package

dbus variant recursion crash

Bug #688992 reported by Rémi Denis-Courmont
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
D-Bus
Fix Released
Undecided
Unassigned
dbus (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Jamie Strandboge
Karmic
Fix Released
Medium
Jamie Strandboge
Lucid
Fix Released
Medium
Jamie Strandboge
Maverick
Fix Released
Medium
Jamie Strandboge
Natty
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: dbus

The bus daemon can be crashed by sending a valid D-Bus message with lots of nested variants.

Further informations are available here: http://www.remlab.net/op/dbus-variant-recursion.shtml
and in the upstream bug.

Rémi Denis-Courmont (rdenis)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

From oss-security:

"just FYI, particular bugzilla entry now opened:
[1] https://bugs.freedesktop.org/show_bug.cgi?id=32321

Issue fixed in dbus-v1.4.1 release:
[2] https://bugs.freedesktop.org/show_bug.cgi?id=32321#c12

And relevant changeset (from c#13):
[3] http://cgit.freedesktop.org/dbus/dbus/commit/?id=7d65a3a6ed8815e34a99c680ac3869fde49dbbd4"

Changed in dbus (Ubuntu):
importance: Undecided → Low
Marc Deslauriers (mdeslaur)
Changed in dbus (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu):
status: Confirmed → In Progress
Changed in dbus:
importance: Unknown → Undecided
status: Unknown → New
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is fixed in 1.4.1-0ubuntu2 in Natty.

Changed in dbus (Ubuntu Natty):
status: In Progress → Fix Released
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in dbus (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Natty):
importance: Low → Medium
Changed in dbus (Ubuntu Maverick):
importance: Undecided → Medium
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded patched packages to the security PPA.

Changed in dbus (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in dbus (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in dbus (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in dbus (Ubuntu Karmic):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.4.0-0ubuntu1.1

---------------
dbus (1.4.0-0ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants.
    - CVE-2010-4352
    - LP: #688992
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 14:10:39 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.2.16-2ubuntu4.1

---------------
dbus (1.2.16-2ubuntu4.1) lucid-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants. Backported from upstream.
    - CVE-2010-4352
    - LP: #688992
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 14:33:58 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.2.16-0ubuntu9.1

---------------
dbus (1.2.16-0ubuntu9.1) karmic-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants. Backported from upstream.
    - CVE-2010-4352
    - LP: #688992
  * debian/control: Build-Depends on libexpat1-dev instead of libexpat-dev
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 14:37:19 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.1.20-1ubuntu3.4

---------------
dbus (1.1.20-1ubuntu3.4) hardy-security; urgency=low

  * SECURITY UPDATE: fix DoS with too deeply nested messages
    - debian/patches/84-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
      message variants. Backported from upstream.
    - CVE-2010-4352
    - LP: #688992
  * debian/control: Build-Depends on libexpat1-dev instead of libexpat-dev
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 15:04:29 -0600

Changed in dbus (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in dbus (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in dbus (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in dbus (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.