Bug#984969: glib2.0 CVE-2021-27218, CVE-2021-27219, CVE-2021-28153: DSA or s-p-u?
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 22 06:40:48 GMT 2021
Hi Simon,
On Sun, Mar 21, 2021 at 02:03:24PM +0000, Simon McVittie wrote:
> glib2.0 2.66.6 and 2.66.8 fixed some security issues, listed here as
> most-severe-first (in my opinion):
>
> * CVE-2021-28153 (#984969)
> When g_file_replace() with G_FILE_CREATE_REPLACE_DESTINATION is asked
> to overwrite a dangling symlink, in the vulnerable versions of GLib,
> the target of the symlink gets created as an empty regular file as a
> side-effect. If a malicious archive (e.g. tarball) is unpacked with
> file-roller, this can be exploited to create an empty file in an
> attacker-controlled location.
>
> Mitigation: the attacker cannot choose the file's contents or empty
> an existing file, so this is only interesting if they are creating
> a flag-file whose mere presence or absence is what matters, like
> /etc/staff-group-for-usr-local.
>
> The patches I've proposed for this include a later follow-up fix to
> error handling, which is not in bullseye/unstable yet (although I've
> asked for permission to include it in #985610).
>
> * CVE-2021-27219 (#982778)
> On 64-bit platforms, if a buffer of length n > 4 GB is copied into a
> new GBytes object, only the first (n % (1<<32)) bytes get allocated and
> copied, but the new GBytes object still thinks it has length n, which
> can result in undefined behaviour. The only known exploit for this is
> memory corruption that crashes policykit-1's setuid polkit-agent-helper-1
> with an assertion failure (a denial of service) but there might be
> cases where an attacker can do something worse with this.
>
> While fixing this, the GLib developers also fixed similar issues where
> the same function g_memdup() was called elsewhere in GLib. Most of them
> are clearly not exploitable (either the length is fixed and small,
> or an attacker-specified length would be silly for other reasons)
> but some might be.
>
> In some of the places where changes were made, it's easy to see that the
> changes are correct and harmless. Luckily, this includes CVE-2021-27219
> itself. However, some of the other changes were non-trivial and caused
> regressions that had to be fixed in 2.66.7.
>
> To minimize regression risk, I am proposing that we only fix the
> easy cases in Debian 10, and deliberately leave the harder/more
> regression-prone places unfixed, unless someone can explain how the
> lengths can realistically become attacker-controlled and 4GB+. I talked
> to upstream maintainer Philip Withnall about this and he agrees with
> my reasoning.
>
> * CVE-2021-27218 (#982779)
> Similar to CVE-2021-27219, if a buffer of length n > 4 GB is copied into
> a new GByteArray object, there's an integer overflow. No known exploit.
> The fix turns this into a critical warning and NULL return, which
> could still cause a crash (denial of service), but is the best we can
> do within the constraints of the existing API/ABI.
>
> Note that just to be extra-confusing, MITRE allocated consecutive CVE IDs
> for the two integer overflows, but assigned the first CVE ID to the issue
> that was reported second.
>
> Proposed changes are available here:
> https://salsa.debian.org/gnome-team/glib/-/merge_requests/11
>
> Do the security team want to do a DSA for this, or should I be talking to
> the stable release team?
>
> If we go via a stable point release, I'm aware that I've narrowly missed
> the window for Debian 10.9, but that might be for the best: none of this
> seems amazingly urgent, and lots of things use GLib, so regressions here
> would be really bad.
>
> Sorry this has taken a while to prepare, but at this point GLib 2.58 is
> 2½ years behind upstream's oldest supported branch, so the amount of
> backporting involved is significant, and that made me extra-cautious about
> regressions.
Thanks for the detailed overview and working on those issues for
buster!
Personal opionon: I do not think those issues need a DSA and can go in
via the 10.10 point release later on. Doing so has as well the
advantage that the upload could be staged long enough in
proosed-updates, it will though probably not have an enormous amount
of testers, but we can take advantage there as well for some
additional QA tests running.
So I would propose to mark those all no-dsa for buster and do an
update for the 10.10 point release.
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list