The D-Bus message format provides four different container types: array, structure, dictionary entry and variant. The format specification explicitly forbids more than 32 level of nesting for arrays as well as for structures, inside a message signature. Dictionary entries can also not be nested to more than 32 levels (within a single signature) as they can only be inside arrays. There is however no limit on nesting variants, other than the total message size limit.
When a D-Bus message is received, libdbus will always check that the message is well-formatted. In doing so, it will recursively check any variant found in the message. If the message contains an excessive number of nested variants, function calls recursion will get too deep, the call stack will overflow, and the process will experience a segmentation fault.
The upstream bug _may_ be at: https://bugs.freedesktop.org/show_bug.cgi?id=32321
*** Bug 343323 has been marked as a duplicate of this bug. ***
Please test & stabilize:
Are Council issues preventing stabilization of dbus-1.4.0 resolved in 1.4.1 ?
(In reply to comment #4)
> Are Council issues preventing stabilization of dbus-1.4.0 resolved in 1.4.1 ?
There are no issues to solve in dbus, but if council wanted a news item, it should be sent right about, now.
The deadline set in the last council meeting ends in about 22 hours - just before 0000UTC Thursday 20101223.
amd64/ppc64 stable too
Stable for HPPA.
Stable on alpha.
ppc stable, last arch done
Thanks, folks. GLSA request filed.
Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows
local users to cause a denial of service (daemon crash) via a message
containing many nested variants.
This issue was resolved and addressed in
GLSA 201110-14 at http://security.gentoo.org/glsa/glsa-201110-14.xml
by GLSA coordinator Stefan Behte (craig).