Sorry, forgot to cc the installer team for the d-i ack. Full message quoted below.
On Sat, 16 Nov 2024 at 20:55:06 +0000, Simon McVittie wrote: > [ Reason ] > CVE-2024-52533, https://bugs.debian.org/1087419 > > [ Impact ] > Heap/stack buffer overflow with unknown impact (most likely just denial > of service via a crash) for users of SOCKS4a proxies. > > Mitigation: the overflow only occurs in the unusual situation that the > proxy was configured with a 255-byte username (I don't know whether proxy > autoconfiguration can set up this situation), and the user is also > connecting to a 255-byte hostname. > > The security team does not intend to issue a DSA for this minor > vulnerability. > > [ Tests ] > Not specifically tested, I don't know where to find an example of a > SOCKS4a proxy. > > An upgraded bookworm GNOME desktop system runs normally. > > [ Risks ] > I would say this is low risk despite the lack of test coverage: the only > change is to make a buffer 1 byte larger in two places (one on the stack, > one on the heap) to ensure that a maximally-long message cannot exceed > the buffer size. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > All proposed changes are relevant to CVE-2024-52533. > > [ Other info ] > GLib has a udeb, so this needs a d-i ack (although I can't think of any > reason why the affected code would run in a d-i context). > diffstat for glib2.0-2.74.6 glib2.0-2.74.6 > > changelog | > 8 + > patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch | > 44 ++++++++++ > patches/series | > 1 > 3 files changed, 53 insertions(+) > > diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog > --- glib2.0-2.74.6/debian/changelog 2024-10-28 08:41:03.000000000 +0000 > +++ glib2.0-2.74.6/debian/changelog 2024-11-14 09:42:34.000000000 +0000 > @@ -1,3 +1,11 @@ > +glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium > + > + * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch: > + Fix a buffer overflow when configured to use a SOCKS4a proxy with a > + very long username (CVE-2024-52533, Closes: #1087419) > + > + -- Simon McVittie <s...@debian.org> Thu, 14 Nov 2024 09:42:34 +0000 > + > glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium > > [ Helmut Grohne ] > diff -Nru > glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch > > glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch > --- > glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch > 2024-11-14 09:42:34.000000000 +0000 > @@ -0,0 +1,44 @@ > +From: Michael Catanzaro <mcatanz...@redhat.com> > +Date: Thu, 19 Sep 2024 18:35:53 +0100 > +Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages > + > +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul > +byte in the connect message, which is an addition in SOCKSv4a vs > +SOCKSv4. > + > +This means that the buffer for building and transmitting the connect > +message could be overflowed if the username and hostname are both > +`SOCKS4_MAX_LEN` (255) bytes long. > + > +Proxy configurations are normally statically configured, so the username > +is very unlikely to be near its maximum length, and hence this overflow > +is unlikely to be triggered in practice. > + > +(Commit message by Philip Withnall, diagnosis and fix by Michael > +Catanzaro.) > + > +CVE-2024-52533 > + > +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461 > +Bug-Debian: https://bugs.debian.org/1087419 > +Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29 > +--- > + gio/gsocks4aproxy.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c > +index 3dad118..b3146d0 100644 > +--- a/gio/gsocks4aproxy.c > ++++ b/gio/gsocks4aproxy.c > +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) > + * > +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ > + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | > | NULL | > + * > +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ > +- * 1 1 2 4 variable 1 variable > ++ * 1 1 2 4 variable 1 variable > 1 > + */ > +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) > ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) > + static gint > + set_connect_msg (guint8 *msg, > + const gchar *hostname, > diff -Nru glib2.0-2.74.6/debian/patches/series > glib2.0-2.74.6/debian/patches/series > --- glib2.0-2.74.6/debian/patches/series 2024-10-28 08:41:03.000000000 > +0000 > +++ glib2.0-2.74.6/debian/patches/series 2024-11-14 09:42:34.000000000 > +0000 > @@ -43,3 +43,4 @@ > > CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch > > CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch > gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch > +gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
