Bug#1028475: Backport recent GVariant security fixes to Stable

Philip Withnall philip at tecnocode.co.uk
Wed Jan 11 16:37:01 GMT 2023


Package: glib2.0
Version: 2.66.8-1
Tags: security

Are there plans to backport the recent GVariant security fixes to
Debian Stable?

These are:
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2782
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2121
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2540
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2794
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2797
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2840
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2841

In addition, these two issues have highly related fixes (which it’s
probably easiest to backport in the same tranche), but they are not
security issues:
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2612
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2839

Apologies if a decision has been deliberately taken to not backport
them, I don’t fully understand the criteria for what gets backported.

---

There are two sets of risks in these issues:

1. Denial of service caused by handling a malicious serialised variant
which is structured to cause allocations or looping superlinear to its
serialised size. Applications are at risk if they accept untrusted
serialised variants by checking them with g_variant_get_normal_form()
(or don’t check them). Applications which reject variants with
g_variant_is_normal_form() first are not vulnerable. In order to be
exploitable, the variant must have a dynamically typed component in it
(i.e. a `v` type somewhere). This is typically as part of an `a{sv}`.

2. Denial of service caused by handling a malicious text-form variant
which is structured to cause looping superlinear to its text size.
Applications are at risk if they parse untrusted text-form variants.

Scenario 2 is much less likely than scenario 1, as the GVariant text-
form parser is not documented as suitable for use on untrusted input.
Scenario 1 is likely because g_variant_get_normal_form() *is*
documented as being safe to use on untrusted input.

Issue #2840 documents a heap buffer overflow, but this vulnerability
was introduced as part of the fixes for the above two scenarious, so
GLib is only vulnerable to the overflow if an incomplete set of patches
are backported.

---

I have a set of backport commits for this for GLib 2.70.4, which we are
using in Endless OS. At a quick glance, these commits should also be
most of the work needed for backporting to 2.66.8 in Debian Stable. I
am happy to help out with this if that’s useful.

Philip



More information about the pkg-gnome-maintainers mailing list