Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: glib...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:glib2.0 User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] CVE-2024-52533, https://bugs.debian.org/1087419 [ Impact ] Heap/stack buffer overflow with unknown impact (most likely just denial of service via a crash) for users of SOCKS4a proxies. Mitigation: the overflow only occurs in the unusual situation that the proxy was configured with a 255-byte username (I don't know whether proxy autoconfiguration can set up this situation), and the user is also connecting to a 255-byte hostname. The security team does not intend to issue a DSA for this minor vulnerability. [ Tests ] Not specifically tested, I don't know where to find an example of a SOCKS4a proxy. An upgraded bookworm GNOME desktop system runs normally. [ Risks ] I would say this is low risk despite the lack of test coverage: the only change is to make a buffer 1 byte larger in two places (one on the stack, one on the heap) to ensure that a maximally-long message cannot exceed the buffer size. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] All proposed changes are relevant to CVE-2024-52533. [ Other info ] GLib has a udeb, so this needs a d-i ack (although I can't think of any reason why the affected code would run in a d-i context).
diffstat for glib2.0-2.74.6 glib2.0-2.74.6 changelog | 8 + patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch | 44 ++++++++++ patches/series | 1 3 files changed, 53 insertions(+) diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog --- glib2.0-2.74.6/debian/changelog 2024-10-28 08:41:03.000000000 +0000 +++ glib2.0-2.74.6/debian/changelog 2024-11-14 09:42:34.000000000 +0000 @@ -1,3 +1,11 @@ +glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium + + * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch: + Fix a buffer overflow when configured to use a SOCKS4a proxy with a + very long username (CVE-2024-52533, Closes: #1087419) + + -- Simon McVittie <s...@debian.org> Thu, 14 Nov 2024 09:42:34 +0000 + glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium [ Helmut Grohne ] diff -Nru glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch --- glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 1970-01-01 01:00:00.000000000 +0100 +++ glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 2024-11-14 09:42:34.000000000 +0000 @@ -0,0 +1,44 @@ +From: Michael Catanzaro <mcatanz...@redhat.com> +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +CVE-2024-52533 + +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461 +Bug-Debian: https://bugs.debian.org/1087419 +Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118..b3146d0 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series --- glib2.0-2.74.6/debian/patches/series 2024-10-28 08:41:03.000000000 +0000 +++ glib2.0-2.74.6/debian/patches/series 2024-11-14 09:42:34.000000000 +0000 @@ -43,3 +43,4 @@ CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch +gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
