Bug#1087419: CVE-2024-52533: glib2.0: Buffer overflow in gsocks4aproxy set_connect_msg()
Salvatore Bonaccorso
carnil at debian.org
Wed Nov 13 10:58:55 GMT 2024
Hi Simon,
Thanks a lot for your proactive taking action!
On Wed, Nov 13, 2024 at 10:15:48AM +0000, Simon McVittie wrote:
> Package: libglib2.0-0
> Version: 2.74.6-2+deb12u4
> Severity: important
> Tags: bookworm security upstream
> X-Debbugs-Cc: team at security.debian.org, debian-lts at lists.debian.org
>
> https://security-tracker.debian.org/tracker/CVE-2024-52533
> > gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one
> > error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not
> > sufficient for a trailing '\0' character.
>
> This was fixed upstream in 2.82.1, so trixie is unaffected.
>
> A mitigation is that the relevant code path is (presumably) only used when
> a client system is configured to connect via a SOCKS4a proxy, which appear
> to be sufficiently rare that upstream were not able to test the change
> against a real proxy server.
>
> Does the security team intend to do a DSA for this, or is this being left
> until the next 12.x stable update?
yes we do agree, this could be marked as well as no-dsa in the
tracker, which I just did.
> I believe Debian 11 is also vulnerable; LTS team cc'd for visibility.
>
> The security-tracker page says:
> > check if has impact on embedded copy in src:gobject-introspection
>
> The answer to that is: no, the embedded copy in src:gobject-introspection
> is only there to satisfy a particularly completionist interpretation
> of the requirement to include source code, and is not actually compiled
> or used.
Thanks a lot fo the explanation, so I have dropped the todo item from
the CVE entry.
Should we update the metadata here in this bug to mark as fixed
2.82.1-1 (and found version at least to 2.74.6-1), so BTS can show up
the version graph accordingly?
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list