Bug#1107797: glib2.0: CVE-2025-6052
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 15 07:16:20 BST 2025
Hi Simon,
On Sat, Jun 14, 2025 at 11:15:00PM +0100, Simon McVittie wrote:
> On Sat, 14 Jun 2025 at 22:51:55 +0200, Salvatore Bonaccorso wrote:
> > [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655
>
> I don't think this is plausibly attacker-triggerable: it would require an
> attacker to be able to cause succesful (!) allocation of a GString object,
> and some data to append to it, that add up to more than the total address
> space (4 GiB on 32-bit, or 2**64 bytes on 64-bit).
>
> On 64-bit, there's no reasonable scenario where we would run out of address
> space before running out of actual memory.
>
> On 32-bit, the only way I can think of for the length calculation to
> overflow would be if there is an attacker-triggerable way to append an
> arbitrarily large substring of the target string (or the entire target
> string) to itself; otherwise the current size of the GString, plus the
> characters that are to be appended, must already both fit in virtual memory
> and therefore can't possibly add up to more than the limit of size_t (even
> if we ignore the parts of virtual memory that are used for other things: the
> kernel, the program, and GLib itself). I'm not at all convinced that a
> program containing that pattern exists.
>
> So I don't think this is urgent to fix.
Thanks for the analysis. Yes agreed, then we do not need for trixie
already unless you plan anyway another update. Otherwise let's first
land in forky later.
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list