Security Information / 2011 / Security Information -- DSA-2149-1 dbus

Debian Security Advisory

DSA-2149-1 dbus -- denial of service

Date Reported:

20 Jan 2011

Affected Packages:

dbus

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2010-4352.

More information:

Rémi Denis-Courmont discovered that dbus, a message bus application, is not properly limiting the nesting level when examining messages with extensive nested variants. This allows an attacker to crash the dbus system daemon due to a call stack overflow via crafted messages.

For the stable distribution (lenny), this problem has been fixed in version 1.2.1-5+lenny2.

For the testing distribution (squeeze), this problem has been fixed in version 1.2.24-4.

For the unstable distribution (sid), this problem has been fixed in version 1.2.24-4.

We recommend that you upgrade your dbus packages.