[ANNOUNCE] D-Bus 1.2.26 (fixing CVE-2010-4352)

Will Thompson will.thompson at collabora.co.uk
Tue Dec 21 07:43:11 PST 2010

On 21/12/10 14:41, Colin Walters wrote:
> 2010/12/20 Brian Cameron<brian.cameron at oracle.com>:
>> If this problem affects D-Bus 1.2, then will it be possible for a new
>> 1.2 release with the fix for this security issue?
> 1.2 backport is here (only one trivial conflict):
> http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5

For completeness, here's a release: http://dbus.freedesktop.org/releases/dbus/dbus-1.2.26.tar.gz

NEWS from this release:

• Fix for CVE-2010-4352: sending messages with excessively-nested variants can
  crash the bus. The existing restriction to 64-levels of nesting previously
  only applied to the static type signature; now it also applies to dynamic
  nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
• Corrected thread problem causing some calls to hang for 25s
• Enable address reuse on TCP sockets
• Fix use of $servicename in init script

The latter three changes have been kicking around on this branch for
months; they were long ago released in the 1.3 (and hence 1.4) series.


More information about the dbus mailing list