Bug#1087658: bookworm-pu: package glib2.0/2.74.6-2+deb12u5

Simon McVittie smcv at debian.org
Sat Nov 16 23:21:56 GMT 2024 

Sorry, forgot to cc the installer team for the d-i ack. Full message
quoted below.

On Sat, 16 Nov 2024 at 20:55:06 +0000, Simon McVittie wrote:
> [ Reason ]
> CVE-2024-52533, https://bugs.debian.org/1087419
> 
> [ Impact ]
> Heap/stack buffer overflow with unknown impact (most likely just denial
> of service via a crash) for users of SOCKS4a proxies.
> 
> Mitigation: the overflow only occurs in the unusual situation that the
> proxy was configured with a 255-byte username (I don't know whether proxy
> autoconfiguration can set up this situation), and the user is also
> connecting to a 255-byte hostname.
> 
> The security team does not intend to issue a DSA for this minor
> vulnerability.
> 
> [ Tests ]
> Not specifically tested, I don't know where to find an example of a
> SOCKS4a proxy.
> 
> An upgraded bookworm GNOME desktop system runs normally.
> 
> [ Risks ]
> I would say this is low risk despite the lack of test coverage: the only
> change is to make a buffer 1 byte larger in two places (one on the stack,
> one on the heap) to ensure that a maximally-long message cannot exceed
> the buffer size.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> All proposed changes are relevant to CVE-2024-52533.
> 
> [ Other info ]
> GLib has a udeb, so this needs a d-i ack (although I can't think of any
> reason why the affected code would run in a d-i context).

> diffstat for glib2.0-2.74.6 glib2.0-2.74.6
> 
>  changelog                                                               |    8 +
>  patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch |   44 ++++++++++
>  patches/series                                                          |    1 
>  3 files changed, 53 insertions(+)
> 
> diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
> --- glib2.0-2.74.6/debian/changelog	2024-10-28 08:41:03.000000000 +0000
> +++ glib2.0-2.74.6/debian/changelog	2024-11-14 09:42:34.000000000 +0000
> @@ -1,3 +1,11 @@
> +glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
> +
> +  * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch:
> +    Fix a buffer overflow when configured to use a SOCKS4a proxy with a
> +    very long username (CVE-2024-52533, Closes: #1087419)
> +
> + -- Simon McVittie <smcv at debian.org>  Thu, 14 Nov 2024 09:42:34 +0000
> +
>  glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
>  
>    [ Helmut Grohne ]
> diff -Nru glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
> --- glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch	1970-01-01 01:00:00.000000000 +0100
> +++ glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch	2024-11-14 09:42:34.000000000 +0000
> @@ -0,0 +1,44 @@
> +From: Michael Catanzaro <mcatanzaro at redhat.com>
> +Date: Thu, 19 Sep 2024 18:35:53 +0100
> +Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages
> +
> +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
> +byte in the connect message, which is an addition in SOCKSv4a vs
> +SOCKSv4.
> +
> +This means that the buffer for building and transmitting the connect
> +message could be overflowed if the username and hostname are both
> +`SOCKS4_MAX_LEN` (255) bytes long.
> +
> +Proxy configurations are normally statically configured, so the username
> +is very unlikely to be near its maximum length, and hence this overflow
> +is unlikely to be triggered in practice.
> +
> +(Commit message by Philip Withnall, diagnosis and fix by Michael
> +Catanzaro.)
> +
> +CVE-2024-52533
> +
> +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
> +Bug-Debian: https://bugs.debian.org/1087419
> +Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29
> +---
> + gio/gsocks4aproxy.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
> +index 3dad118..b3146d0 100644
> +--- a/gio/gsocks4aproxy.c
> ++++ b/gio/gsocks4aproxy.c
> +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
> +  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
> +  * | VN | CD | DSTPORT |      DSTIP        | USERID       |NULL| HOST |    | NULL |
> +  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
> +- *    1    1      2              4           variable       1    variable
> ++ *    1    1      2              4           variable       1    variable    1
> +  */
> +-#define SOCKS4_CONN_MSG_LEN	    (9 + SOCKS4_MAX_LEN * 2)
> ++#define SOCKS4_CONN_MSG_LEN	    (10 + SOCKS4_MAX_LEN * 2)
> + static gint
> + set_connect_msg (guint8      *msg,
> + 		 const gchar *hostname,
> diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series
> --- glib2.0-2.74.6/debian/patches/series	2024-10-28 08:41:03.000000000 +0000
> +++ glib2.0-2.74.6/debian/patches/series	2024-11-14 09:42:34.000000000 +0000
> @@ -43,3 +43,4 @@
>  CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch
>  CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
>  gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
> +gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch

More information about the pkg-gnome-maintainers mailing list