From eba29db45d1e24b4a4f6d06358ff84e6c3b42525 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Tue, 10 Dec 2024 12:35:26 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 glib2 revision 1bf207558529c4f3acb08f9eaf400481 --- glib2-CVE-2024-52533.patch | 45 ++++++++++++++++++++++++++++++++++++++ glib2.changes | 6 +++++ glib2.spec | 3 +++ 3 files changed, 54 insertions(+) create mode 100644 glib2-CVE-2024-52533.patch diff --git a/glib2-CVE-2024-52533.patch b/glib2-CVE-2024-52533.patch new file mode 100644 index 0000000..bcd1c63 --- /dev/null +++ b/glib2-CVE-2024-52533.patch @@ -0,0 +1,45 @@ +From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb..b3146d08f 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +2.47.0 + diff --git a/glib2.changes b/glib2.changes index e59515c..c7118ad 100644 --- a/glib2.changes +++ b/glib2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 26 15:45:58 UTC 2024 - Michael Gorse + +- Add glib2-CVE-2024-52533.patch: fix a single byte buffer overflow + (boo#1233282 CVE-2024-52533 glgo#GNOME/glib#3461). + ------------------------------------------------------------------- Mon Aug 19 19:42:14 UTC 2024 - Michael Gorse diff --git a/glib2.spec b/glib2.spec index 7719603..ce4917b 100644 --- a/glib2.spec +++ b/glib2.spec @@ -60,6 +60,8 @@ Patch4: glib2-gdbus-codegen-version.patch Patch5: glib2-CVE-2024-34397.patch # PATCH-FIX-UPSTREAM glib2-fix-ibus-regression.patch boo#1124044 mgorse@suse.com -- allow name owners to have the syntax of a well-known name. Patch6: glib2-fix-ibus-regression.patch +# PATCH-FIX-UPSTREAM glib2-CVE-2024-52533.patch boo#1233282 mgorse@suse.com -- fix a single byte buffer overflow. +Patch7: glib2-CVE-2024-52533.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: fdupes @@ -264,6 +266,7 @@ the functionality of the installed glib2 package. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 cp -a %{SOURCE1} %{SOURCE2} %{SOURCE5} . cp -a %{SOURCE4} gnome_defaults.conf