diff options
| author | Siddharth Doshi <sdoshi@mvista.com> | 2023-10-15 21:00:39 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-10-20 05:35:30 -1000 |
| commit | aa99487732ab1ae453becdda08a3e72de0b7b269 (patch) | |
| tree | 4e116f258212e3f01bcc04c3f1882916252b4cdf /meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch | |
| parent | 8ae21cd487a6147c3a2c9c2c0f0b2d5d149b7caf (diff) | |
| download | poky-aa99487732ab1ae453becdda08a3e72de0b7b269.tar.gz | |
glib-2.0: Fix multiple vulnerabilities
CVE's Fixed:
CVE-2023-29499: glib: GVariant offset table entry size is not checked in is_normal()
CVE-2023-32611: glib: g_variant_byteswap() can take a long time with some non-normal inputs
CVE-2023-32636: glib: Timeout in fuzz_variant_text
CVE-2023-32643: glib: Heap-buffer-overflow in g_variant_serialised_get_child
CVE-2023-32665: glib: GVariant deserialisation does not match spec for non-normal data
(From OE-Core rev: b576beba80d44e67762d46bf3bc2f14c05bc0f6b)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch')
| -rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch new file mode 100644 index 0000000000..533142b22a --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 21a204147b16539b3eda3143b32844c49e29f4d4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Philip Withnall <pwithnall@endlessos.org> | ||
| 3 | Date: Thu, 17 Aug 2023 11:33:49 +0000 | ||
| 4 | Subject: [PATCH] gvariant: Propagate trust when getting a child of a | ||
| 5 | serialised variant | ||
| 6 | |||
| 7 | If a variant is trusted, that means all its children are trusted, so | ||
| 8 | ensure that their checked offsets are set as such. | ||
| 9 | |||
| 10 | This allows a lot of the offset table checks to be avoided when getting | ||
| 11 | children from trusted serialised tuples, which speeds things up. | ||
| 12 | |||
| 13 | No unit test is included because this is just a performance fix. If | ||
| 14 | there are other slownesses, or regressions, in serialised `GVariant` | ||
| 15 | performance, the fuzzing setup will catch them like it did this one. | ||
| 16 | |||
| 17 | This change does reduce the time to run the oss-fuzz reproducer from 80s | ||
| 18 | to about 0.7s on my machine. | ||
| 19 | |||
| 20 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
| 21 | |||
| 22 | Fixes: #2841 | ||
| 23 | oss-fuzz#54314 | ||
| 24 | |||
| 25 | CVE: CVE-2023-32636 | ||
| 26 | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/21a204147b16539b3eda3143b32844c49e29f4d4] | ||
| 27 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
| 28 | --- | ||
| 29 | glib/gvariant-core.c | 4 ++-- | ||
| 30 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c | ||
| 33 | index 1b9d5cc..ed57c70 100644 | ||
| 34 | --- a/glib/gvariant-core.c | ||
| 35 | +++ b/glib/gvariant-core.c | ||
| 36 | @@ -1173,8 +1173,8 @@ g_variant_get_child_value (GVariant *value, | ||
| 37 | child->contents.serialised.bytes = | ||
| 38 | g_bytes_ref (value->contents.serialised.bytes); | ||
| 39 | child->contents.serialised.data = s_child.data; | ||
| 40 | - child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to; | ||
| 41 | - child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to; | ||
| 42 | + child->contents.serialised.ordered_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.ordered_offsets_up_to; | ||
| 43 | + child->contents.serialised.checked_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.checked_offsets_up_to; | ||
| 44 | |||
| 45 | return child; | ||
| 46 | } | ||
| 47 | -- | ||
| 48 | 2.24.4 | ||
| 49 | |||