Bug#1087658: bookworm-pu: package glib2.0/2.74.6-2+deb12u5
Simon McVittie
smcv at debian.org
Sat Nov 16 20:55:06 GMT 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: glib2.0 at packages.debian.org, team at security.debian.org
Control: affects -1 + src:glib2.0
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-52533, https://bugs.debian.org/1087419
[ Impact ]
Heap/stack buffer overflow with unknown impact (most likely just denial
of service via a crash) for users of SOCKS4a proxies.
Mitigation: the overflow only occurs in the unusual situation that the
proxy was configured with a 255-byte username (I don't know whether proxy
autoconfiguration can set up this situation), and the user is also
connecting to a 255-byte hostname.
The security team does not intend to issue a DSA for this minor
vulnerability.
[ Tests ]
Not specifically tested, I don't know where to find an example of a
SOCKS4a proxy.
An upgraded bookworm GNOME desktop system runs normally.
[ Risks ]
I would say this is low risk despite the lack of test coverage: the only
change is to make a buffer 1 byte larger in two places (one on the stack,
one on the heap) to ensure that a maximally-long message cannot exceed
the buffer size.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All proposed changes are relevant to CVE-2024-52533.
[ Other info ]
GLib has a udeb, so this needs a d-i ack (although I can't think of any
reason why the affected code would run in a d-i context).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: glib2.0_2.74.6-2+deb12u5.diff
Type: text/x-diff
Size: 3882 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20241116/57f1733b/attachment-0001.diff>
More information about the pkg-gnome-maintainers
mailing list