Bug#1087419: CVE-2024-52533: glib2.0: Buffer overflow in gsocks4aproxy set_connect_msg()

Simon McVittie smcv at debian.org
Wed Nov 13 10:15:48 GMT 2024


Package: libglib2.0-0
Version: 2.74.6-2+deb12u4
Severity: important
Tags: bookworm security upstream
X-Debbugs-Cc: team at security.debian.org, debian-lts at lists.debian.org

https://security-tracker.debian.org/tracker/CVE-2024-52533
> gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one
> error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not
> sufficient for a trailing '\0' character.

This was fixed upstream in 2.82.1, so trixie is unaffected.

A mitigation is that the relevant code path is (presumably) only used when
a client system is configured to connect via a SOCKS4a proxy, which appear
to be sufficiently rare that upstream were not able to test the change
against a real proxy server.

Does the security team intend to do a DSA for this, or is this being left
until the next 12.x stable update?

I believe Debian 11 is also vulnerable; LTS team cc'd for visibility.

The security-tracker page says:
> check if has impact on embedded copy in src:gobject-introspection

The answer to that is: no, the embedded copy in src:gobject-introspection
is only there to satisfy a particularly completionist interpretation
of the requirement to include source code, and is not actually compiled
or used.

    smcv



More information about the pkg-gnome-maintainers mailing list