Hi Simon, Thanks a lot for your proactive taking action!
On Wed, Nov 13, 2024 at 10:15:48AM +0000, Simon McVittie wrote: > Package: libglib2.0-0 > Version: 2.74.6-2+deb12u4 > Severity: important > Tags: bookworm security upstream > X-Debbugs-Cc: t...@security.debian.org, debian-lts@lists.debian.org > > https://security-tracker.debian.org/tracker/CVE-2024-52533 > > gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one > > error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not > > sufficient for a trailing '\0' character. > > This was fixed upstream in 2.82.1, so trixie is unaffected. > > A mitigation is that the relevant code path is (presumably) only used when > a client system is configured to connect via a SOCKS4a proxy, which appear > to be sufficiently rare that upstream were not able to test the change > against a real proxy server. > > Does the security team intend to do a DSA for this, or is this being left > until the next 12.x stable update? yes we do agree, this could be marked as well as no-dsa in the tracker, which I just did. > I believe Debian 11 is also vulnerable; LTS team cc'd for visibility. > > The security-tracker page says: > > check if has impact on embedded copy in src:gobject-introspection > > The answer to that is: no, the embedded copy in src:gobject-introspection > is only there to satisfy a particularly completionist interpretation > of the requirement to include source code, and is not actually compiled > or used. Thanks a lot fo the explanation, so I have dropped the todo item from the CVE entry. Should we update the metadata here in this bug to mark as fixed 2.82.1-1 (and found version at least to 2.74.6-1), so BTS can show up the version graph accordingly? Regards, Salvatore
