[ANNOUNCE] D-Bus 1.4.1 (fixing CVE-2010-4352)

Brian Cameron brian.cameron at oracle.com
Mon Dec 20 15:49:32 PST 2010


I assume the CVE-2010-4352 issue does not affect D-Bus 1.2 since no
mention is made.  Can you confirm?

Thanks,

Brian


On 12/20/10 03:44 PM, Will Thompson wrote:
> A new stable release of D-Bus is now available, fixing a
> denial-of-service issue.
>
> http://dbus.freedesktop.org/releases/dbus/dbus-1.4.1.tar.gz
>
> This release contains a fix for
> <https://bugs.freedesktop.org/show_bug.cgi?id=32321>, originally
> reported on this list by Rémi Denis-Courmont, who has an analysis at
> <http://www.remlab.net/op/dbus-variant-recursion.shtml>.
>
> This bug allows a local user to crash the bus daemon, but not to execute
> arbitrary code, by sending it a specially-crafted message. Once the bus
> daemon has been upgraded, it will reject such messages without relaying
> them; thus, services besides the bus daemon itself do not need to be
> restarted.


More information about the dbus mailing list