From 3be25b503f789bde65e822ed835f7d81f6670858 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Thu, 14 Nov 2024 18:09:03 +0530 Subject: glib-2.0: Backport fix for CVE-2024-52533 Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Reference: https://security-tracker.debian.org/tracker/CVE-2024-52533 (From OE-Core rev: c7ecdd6530e18efd651e2ea57565481f66f7b1cf) Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../glib-2.0/glib-2.0/CVE-2024-52533.patch | 49 ++++++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch new file mode 100644 index 0000000000..3a06a9d782 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch @@ -0,0 +1,49 @@ +From ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29] +CVE: CVE-2024-52533 +Signed-off-by: Vijay Anusuri +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb7..b3146d08fd 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +GitLab + diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index 239099d568..8007de0613 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb @@ -50,6 +50,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2024-34397_17.patch \ file://CVE-2024-34397_18.patch \ file://0001-gvariant-serialiser-Convert-endianness-of-offsets.patch \ + file://CVE-2024-52533.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch" -- cgit v1.2.3-54-g00ecf