From 4506d1859a863087598c8d122740bae25b65b099 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 8 Feb 2021 10:04:48 +0000 Subject: [PATCH 4/5] gtlspassword: Fix inverted assertion The intention here was to assert that the length of the password fits in a gssize. Passwords more than half the size of virtual memory are probably excessive. Fixes: a8b204ff "gtlspassword: Forbid very long TLS passwords" Signed-off-by: Simon McVittie (cherry picked from commit 61bb52ec42de1082bfb06ce1c737fc295bfe60b8) Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] CVE: CVE-2021-27219 Signed-off-by: Ranjitsinh Rathod --- gio/gtlspassword.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c index dbcec41a8..bd86a6dfe 100644 --- a/gio/gtlspassword.c +++ b/gio/gtlspassword.c @@ -291,7 +291,7 @@ g_tls_password_set_value (GTlsPassword *password, { /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ gsize length_unsigned = strlen ((gchar *) value); - g_return_if_fail (length_unsigned > G_MAXSSIZE); + g_return_if_fail (length_unsigned <= G_MAXSSIZE); length = (gssize) length_unsigned; } -- GitLab