Discussion:
Bug#1087658: bookworm-pu: package glib2.0/2.74.6-2+deb12u5
(too old to reply)
Simon McVittie
2024-11-16 21:40:01 UTC
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org, ***@security.debian.org
Control: affects -1 + src:glib2.0
User: ***@packages.debian.org
Usertags: pu

[ Reason ]
CVE-2024-52533, https://bugs.debian.org/1087419

[ Impact ]
Heap/stack buffer overflow with unknown impact (most likely just denial
of service via a crash) for users of SOCKS4a proxies.

Mitigation: the overflow only occurs in the unusual situation that the
proxy was configured with a 255-byte username (I don't know whether proxy
autoconfiguration can set up this situation), and the user is also
connecting to a 255-byte hostname.

The security team does not intend to issue a DSA for this minor
vulnerability.

[ Tests ]
Not specifically tested, I don't know where to find an example of a
SOCKS4a proxy.

An upgraded bookworm GNOME desktop system runs normally.

[ Risks ]
I would say this is low risk despite the lack of test coverage: the only
change is to make a buffer 1 byte larger in two places (one on the stack,
one on the heap) to ensure that a maximally-long message cannot exceed
the buffer size.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
All proposed changes are relevant to CVE-2024-52533.

[ Other info ]
GLib has a udeb, so this needs a d-i ack (although I can't think of any
reason why the affected code would run in a d-i context).
Debian Bug Tracking System
2024-11-16 21:50:01 UTC
Permalink
Post by Simon McVittie
affects -1 + src:glib2.0
Bug #1087658 [release.debian.org] bookworm-pu: package glib2.0/2.74.6-2+deb12u5
Added indication that 1087658 affects src:glib2.0
--
1087658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087658
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Simon McVittie
2024-11-16 23:30:01 UTC
Permalink
Sorry, forgot to cc the installer team for the d-i ack. Full message
quoted below.
Post by Simon McVittie
[ Reason ]
CVE-2024-52533, https://bugs.debian.org/1087419
[ Impact ]
Heap/stack buffer overflow with unknown impact (most likely just denial
of service via a crash) for users of SOCKS4a proxies.
Mitigation: the overflow only occurs in the unusual situation that the
proxy was configured with a 255-byte username (I don't know whether proxy
autoconfiguration can set up this situation), and the user is also
connecting to a 255-byte hostname.
The security team does not intend to issue a DSA for this minor
vulnerability.
[ Tests ]
Not specifically tested, I don't know where to find an example of a
SOCKS4a proxy.
An upgraded bookworm GNOME desktop system runs normally.
[ Risks ]
I would say this is low risk despite the lack of test coverage: the only
change is to make a buffer 1 byte larger in two places (one on the stack,
one on the heap) to ensure that a maximally-long message cannot exceed
the buffer size.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All proposed changes are relevant to CVE-2024-52533.
[ Other info ]
GLib has a udeb, so this needs a d-i ack (although I can't think of any
reason why the affected code would run in a d-i context).
diffstat for glib2.0-2.74.6 glib2.0-2.74.6
changelog | 8 +
patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch | 44 ++++++++++
patches/series | 1
3 files changed, 53 insertions(+)
diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/changelog 2024-11-14 09:42:34.000000000 +0000
@@ -1,3 +1,11 @@
+glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
+
+ Fix a buffer overflow when configured to use a SOCKS4a proxy with a
+ very long username (CVE-2024-52533, Closes: #1087419)
+
+
glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
[ Helmut Grohne ]
diff -Nru glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
--- glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 2024-11-14 09:42:34.000000000 +0000
@@ -0,0 +1,44 @@
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+CVE-2024-52533
+
+Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
+Bug-Debian: https://bugs.debian.org/1087419
+Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118..b3146d0 100644
+--- a/gio/gsocks4aproxy.c
++++ b/gio/gsocks4aproxy.c
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+ * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- * 1 1 2 4 variable 1 variable
++ * 1 1 2 4 variable 1 variable 1
+ */
+-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8 *msg,
+ const gchar *hostname,
diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series
--- glib2.0-2.74.6/debian/patches/series 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/patches/series 2024-11-14 09:42:34.000000000 +0000
@@ -43,3 +43,4 @@
CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch
CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
+gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
Cyril Brulebois
2024-11-17 07:40:01 UTC
Permalink
Post by Simon McVittie
Sorry, forgot to cc the installer team for the d-i ack. Full message
quoted below.
No objection, thanks and no worries.


Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Jonathan Wiltshire
2024-11-17 11:00:01 UTC
Permalink
package release.debian.org
tags 1087658 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: glib2.0
Version: 2.74.6-2+deb12u5

Explanation: fix buffer overflow when configured to use a SOCKS4a proxy with a very long username [CVE-2024-52533]
Debian Bug Tracking System
2024-11-17 11:00:01 UTC
Permalink
Post by Jonathan Wiltshire
package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
Post by Jonathan Wiltshire
tags 1087658 = bookworm pending
Bug #1087658 [release.debian.org] bookworm-pu: package glib2.0/2.74.6-2+deb12u5
Added tag(s) pending.
Post by Jonathan Wiltshire
thanks
Stopping processing here.

Please contact me if you need assistance.
--
1087658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087658
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2025-01-11 11:20:13 UTC
Permalink
Your message dated Sat, 11 Jan 2025 11:03:08 +0000
with message-id <E1tWZGm-009jYF-***@coccia.debian.org>
and subject line Close 1087658
has caused the Debian Bug report #1087658,
regarding bookworm-pu: package glib2.0/2.74.6-2+deb12u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1087658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087658
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...