Created attachment 41018 [details]
Proof of concept code
Justification for critical severity: crashes
Sending a "valid" D-Bus message with a (really) a lot of nested variants triggers a segmentation fault and termination of the bus. This seems like a security concern in the case of the system bus.
Proof of concept code is attached.
Created attachment 41049 [details] [review]
Add failing test case
Created attachment 41050 [details] [review]
Detect deep nesting during validation
I haven't tested these patches much (and still don't have working ssh to push them) but hope they are helpful. Someone might want to run the proof of concept exploit with these patches to see if the fix works.
There should also be a patch to the spec but I couldn't decide where to put the new text so I just left it as an exercise for the patch applier. ;-)
I'd prefer one patch with the fix and additional unit test; having failing tests without the fix is bad for bisecting.
Also this will need to reference a CVE number; i'm getting one assigned now.
yeah, feel free to squash
This issue has been assigned CVE-2010-4352.
Created attachment 41245 [details] [review]
Squashed patch, with update to specification.
I can verify the patch fixes this against dbus-1.4 git master.
Empirically, the maximum variant nesting depth on my Fedora 14 system does not exceed 2. I can barely think of a rational situation in which it's larger than 5 or 7, much less 64.
While it's sort of lame to add a restriction, there's no reason for us to bend over backwards to support this either, so I think this patch is a reasonable fix.
Will, can we get this patch queued for the Monday release?
(In reply to comment #10)
> Will, can we get this patch queued for the Monday release?
Absolutely. Are there mailing lists—besides the D-Bus list—that I should announce it to?
Extracted commit is: