diff options
author | Siddharth Doshi <sdoshi@mvista.com> | 2023-10-15 21:00:39 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-10-20 05:35:30 -1000 |
commit | aa99487732ab1ae453becdda08a3e72de0b7b269 (patch) | |
tree | 4e116f258212e3f01bcc04c3f1882916252b4cdf /meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch | |
parent | 8ae21cd487a6147c3a2c9c2c0f0b2d5d149b7caf (diff) | |
download | poky-aa99487732ab1ae453becdda08a3e72de0b7b269.tar.gz |
glib-2.0: Fix multiple vulnerabilities
CVE's Fixed:
CVE-2023-29499: glib: GVariant offset table entry size is not checked in is_normal()
CVE-2023-32611: glib: g_variant_byteswap() can take a long time with some non-normal inputs
CVE-2023-32636: glib: Timeout in fuzz_variant_text
CVE-2023-32643: glib: Heap-buffer-overflow in g_variant_serialised_get_child
CVE-2023-32665: glib: GVariant deserialisation does not match spec for non-normal data
(From OE-Core rev: b576beba80d44e67762d46bf3bc2f14c05bc0f6b)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch new file mode 100644 index 0000000000..533142b22a --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 21a204147b16539b3eda3143b32844c49e29f4d4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Philip Withnall <pwithnall@endlessos.org> | ||
3 | Date: Thu, 17 Aug 2023 11:33:49 +0000 | ||
4 | Subject: [PATCH] gvariant: Propagate trust when getting a child of a | ||
5 | serialised variant | ||
6 | |||
7 | If a variant is trusted, that means all its children are trusted, so | ||
8 | ensure that their checked offsets are set as such. | ||
9 | |||
10 | This allows a lot of the offset table checks to be avoided when getting | ||
11 | children from trusted serialised tuples, which speeds things up. | ||
12 | |||
13 | No unit test is included because this is just a performance fix. If | ||
14 | there are other slownesses, or regressions, in serialised `GVariant` | ||
15 | performance, the fuzzing setup will catch them like it did this one. | ||
16 | |||
17 | This change does reduce the time to run the oss-fuzz reproducer from 80s | ||
18 | to about 0.7s on my machine. | ||
19 | |||
20 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
21 | |||
22 | Fixes: #2841 | ||
23 | oss-fuzz#54314 | ||
24 | |||
25 | CVE: CVE-2023-32636 | ||
26 | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/21a204147b16539b3eda3143b32844c49e29f4d4] | ||
27 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
28 | --- | ||
29 | glib/gvariant-core.c | 4 ++-- | ||
30 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c | ||
33 | index 1b9d5cc..ed57c70 100644 | ||
34 | --- a/glib/gvariant-core.c | ||
35 | +++ b/glib/gvariant-core.c | ||
36 | @@ -1173,8 +1173,8 @@ g_variant_get_child_value (GVariant *value, | ||
37 | child->contents.serialised.bytes = | ||
38 | g_bytes_ref (value->contents.serialised.bytes); | ||
39 | child->contents.serialised.data = s_child.data; | ||
40 | - child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to; | ||
41 | - child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to; | ||
42 | + child->contents.serialised.ordered_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.ordered_offsets_up_to; | ||
43 | + child->contents.serialised.checked_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.checked_offsets_up_to; | ||
44 | |||
45 | return child; | ||
46 | } | ||
47 | -- | ||
48 | 2.24.4 | ||
49 | |||