Your message dated Sat, 11 Jan 2025 11:03:08 +0000
with message-id <e1twzgm-009jyf...@coccia.debian.org>
and subject line Close 1087658
has caused the Debian Bug report #1087658,
regarding bookworm-pu: package glib2.0/2.74.6-2+deb12u5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1087658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087658
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: glib...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:glib2.0
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-52533, https://bugs.debian.org/1087419
[ Impact ]
Heap/stack buffer overflow with unknown impact (most likely just denial
of service via a crash) for users of SOCKS4a proxies.
Mitigation: the overflow only occurs in the unusual situation that the
proxy was configured with a 255-byte username (I don't know whether proxy
autoconfiguration can set up this situation), and the user is also
connecting to a 255-byte hostname.
The security team does not intend to issue a DSA for this minor
vulnerability.
[ Tests ]
Not specifically tested, I don't know where to find an example of a
SOCKS4a proxy.
An upgraded bookworm GNOME desktop system runs normally.
[ Risks ]
I would say this is low risk despite the lack of test coverage: the only
change is to make a buffer 1 byte larger in two places (one on the stack,
one on the heap) to ensure that a maximally-long message cannot exceed
the buffer size.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All proposed changes are relevant to CVE-2024-52533.
[ Other info ]
GLib has a udeb, so this needs a d-i ack (although I can't think of any
reason why the affected code would run in a d-i context).
diffstat for glib2.0-2.74.6 glib2.0-2.74.6
changelog | 8 +
patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch | 44 ++++++++++
patches/series | 1
3 files changed, 53 insertions(+)
diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/changelog 2024-11-14 09:42:34.000000000 +0000
@@ -1,3 +1,11 @@
+glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
+
+ * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch:
+ Fix a buffer overflow when configured to use a SOCKS4a proxy with a
+ very long username (CVE-2024-52533, Closes: #1087419)
+
+ -- Simon McVittie <s...@debian.org> Thu, 14 Nov 2024 09:42:34 +0000
+
glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
[ Helmut Grohne ]
diff -Nru glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
--- glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 2024-11-14 09:42:34.000000000 +0000
@@ -0,0 +1,44 @@
+From: Michael Catanzaro <mcatanz...@redhat.com>
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+CVE-2024-52533
+
+Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
+Bug-Debian: https://bugs.debian.org/1087419
+Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118..b3146d0 100644
+--- a/gio/gsocks4aproxy.c
++++ b/gio/gsocks4aproxy.c
+@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+ * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- * 1 1 2 4 variable 1 variable
++ * 1 1 2 4 variable 1 variable 1
+ */
+-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8 *msg,
+ const gchar *hostname,
diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series
--- glib2.0-2.74.6/debian/patches/series 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/patches/series 2024-11-14 09:42:34.000000000 +0000
@@ -43,3 +43,4 @@
CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch
CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
+gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
--- End Message ---
--- Begin Message ---
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.
--- End Message ---
