[ANNOUNCE] D-Bus 1.2.26 (fixing CVE-2010-4352)
Will Thompson
will.thompson at collabora.co.uk
Tue Dec 21 07:43:11 PST 2010
On 21/12/10 14:41, Colin Walters wrote:
> 2010/12/20 Brian Cameron<brian.cameron at oracle.com>:
>>
>> If this problem affects D-Bus 1.2, then will it be possible for a new
>> 1.2 release with the fix for this security issue?
>
> 1.2 backport is here (only one trivial conflict):
>
> http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
For completeness, here's a release: http://dbus.freedesktop.org/releases/dbus/dbus-1.2.26.tar.gz
NEWS from this release:
• Fix for CVE-2010-4352: sending messages with excessively-nested variants can
crash the bus. The existing restriction to 64-levels of nesting previously
only applied to the static type signature; now it also applies to dynamic
nesting using variants. Thanks to Rémi Denis-Courmont for discoving this
issue.
• Corrected thread problem causing some calls to hang for 25s
• Enable address reuse on TCP sockets
• Fix use of $servicename in init script
The latter three changes have been kicking around on this branch for
months; they were long ago released in the 1.3 (and hence 1.4) series.
Regards,
--
Will
More information about the dbus
mailing list