Bug#1028475: marked as done (Backport recent GVariant security fixes to bullseye)

Sun, 12 Nov 2023 07:06:15 -0800 

Your message dated Sun, 12 Nov 2023 15:02:27 +0000
with message-id <e1r2byl-006q6j...@fasolo.debian.org>
and subject line Bug#1028475: fixed in glib2.0 2.66.8-1+deb11u1
has caused the Debian Bug report #1028475,
regarding Backport recent GVariant security fixes to bullseye
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1028475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028475
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: glib2.0
Version: 2.66.8-1
Tags: security

Are there plans to backport the recent GVariant security fixes to
Debian Stable?

These are:
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2782
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2121
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2540
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2794
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2797
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2840
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2841

In addition, these two issues have highly related fixes (which it’s
probably easiest to backport in the same tranche), but they are not
security issues:
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2612
 - https://gitlab.gnome.org/GNOME/glib/-/issues/2839

Apologies if a decision has been deliberately taken to not backport
them, I don’t fully understand the criteria for what gets backported.

---

There are two sets of risks in these issues:

1. Denial of service caused by handling a malicious serialised variant
which is structured to cause allocations or looping superlinear to its
serialised size. Applications are at risk if they accept untrusted
serialised variants by checking them with g_variant_get_normal_form()
(or don’t check them). Applications which reject variants with
g_variant_is_normal_form() first are not vulnerable. In order to be
exploitable, the variant must have a dynamically typed component in it
(i.e. a `v` type somewhere). This is typically as part of an `a{sv}`.

2. Denial of service caused by handling a malicious text-form variant
which is structured to cause looping superlinear to its text size.
Applications are at risk if they parse untrusted text-form variants.

Scenario 2 is much less likely than scenario 1, as the GVariant text-
form parser is not documented as suitable for use on untrusted input.
Scenario 1 is likely because g_variant_get_normal_form() *is*
documented as being safe to use on untrusted input.

Issue #2840 documents a heap buffer overflow, but this vulnerability
was introduced as part of the fixes for the above two scenarious, so
GLib is only vulnerable to the overflow if an incomplete set of patches
are backported.

---

I have a set of backport commits for this for GLib 2.70.4, which we are
using in Endless OS. At a quick glance, these commits should also be
most of the work needed for backporting to 2.66.8 in Debian Stable. I
am happy to help out with this if that’s useful.

Philip

--- End Message ---
--- Begin Message --- 
Source: glib2.0
Source-Version: 2.66.8-1+deb11u1
Done: Simon McVittie <s...@debian.org>

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1028...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 30 Sep 2023 14:25:23 +0100
Source: glib2.0
Architecture: source
Version: 2.66.8-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian GNOME Maintainers 
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 1028475
Changes:
 glib2.0 (2.66.8-1+deb11u1) bullseye; urgency=medium
 .
   * d/patches: Update to upstream commit 2.66.8-1-g284b7eb7f
     - Update Croatian translation
   * d/patches: Backport GVariant denial-of-service fixes from 2.74.x
     (Closes: #1028475)
     - d/p/gvariant-parser-Reject-deeply-nested-typedecls-in-text-fo.patch:
       Reject excessively nested type declarations to prevent a possible
       denial-of-service if applications parse an untrusted GVariant in
       its text form (glib#2782, oss-fuzz#49462)
     - d/p/gvariant-parser-Speed-up-maybe_wrapper-by-an-order-of-mag.patch:
       Speed up processing of deeply nested "maybe" types when parsing a
       GVariant in text form (glib#2782, oss-fuzz#20177, oss-fuzz#49462)
     - d/p/gvariant-core-Consolidate-construction-of-GVariantSeriali.patch,
       d/p/gvariant-serialiser-Factor-out-functions-for-dealing-with.patch,
       d/p/gvariant-Zero-initialise-various-GVariantSerialised-objec.patch,
       d/p/gvariant-Don-t-allow-child-elements-to-overlap-with-each-.patch,
       d/p/gvariant-serialiser-Factor-out-code-to-get-bounds-of-a-tu.patch,
       d/p/gvariant-serialiser-Rework-child-size-calculation.patch,
       d/p/gvariant-Don-t-allow-child-elements-of-a-tuple-to-overlap.patch,
       d/p/gvariant-Track-checked-and-ordered-offsets-independently.patch,
       d/p/tests-Add-another-test-for-overlapping-offsets-in-GVarian.patch,
       d/p/tests-Disable-some-random-instance-tests-of-GVariants.patch,
       d/p/gvariant-Clarify-the-docs-for-g_variant_get_normal_form.patch,
       d/p/gvariant-Port-g_variant_deep_copy-to-count-its-iterations.patch,
       d/p/gvariant-Add-internal-g_variant_maybe_get_child_value.patch,
       d/p/gvariant-Cut-allocs-of-default-values-for-children-of-non.patch,
       d/p/gvariant-Fix-a-leak-of-a-GVariantTypeInfo-on-an-error-han.patch,
       d/p/gvariant-serialiser-Check-offset-table-entry-size-is-mini.patch,
       d/p/gvariant-Fix-g_variant_byteswap-returning-non-normal-data.patch,
       d/p/gvariant-Allow-g_variant_byteswap-to-operate-on-tree-form.patch:
       Fix handling of GVariant normal forms, to avoid non-linear processing
       time, which can be a denial of service if parsing an untrusted
       GVariant in its binary form
       (glib#2121, glib#2540, glib#2794, glib#2797;
       CVE-2023-32665, CVE-2023-32611, CVE-2023-29499)
     - d/p/gvariant-serialiser-Convert-endianness-of-offsets.patch:
       Fix a regression causing a crash on big-endian architectures after
       the above fixes (glib#2839)
     - d/p/gvariant-Check-offset-table-doesn-t-fall-outside-variant-.patch:
       Fix a buffer overflow after the above fixes
       (glib#2840, CVE-2023-32643, oss-fuzz#54302)
     - d/p/gvariant-Propagate-trust-when-getting-a-child-of-a-serial.patch:
       Fix a non-linear processing time (denial of service) for GVariant in
       its binary form after the above fixes
       (glib#2841, CVE-2023-32636, oss-fuzz#54314)
     - d/p/gvariant-Factor-out-some-common-calls-to-g_variant_get_ty.patch,
       d/p/gvariant-Optimise-g_variant_print-for-nested-maybes.patch,
       d/p/gvariant-Remove-redundant-g_variant_serialised_n_children.patch,
       d/p/gvariant-Remove-some-unnecessary-type-assertions-on-a-hot.patch:
       Fix slow parsing of GVariant in its text form
       (glib#2862, oss-fuzz#54577)
   * Backport additional GVariant fixes from 2.74.x.
     This results in glib/gvariant* having the same code in Debian 11 and 12
     (when comments and inclusion of a private header for the internal
     backport of g_memdup2() are disregarded), which seems less likely to
     create regressions than backporting only the security fixes.
     - d/p/gvariant-Clarify-operator-precedence.patch:
       Reassure static analyzers that the precedence is as we intend it to be.
       Originally in 2.67.2.
     - d/p/Explain-magic-literals-in-G_VARIANT_-_INIT.patch:
       Add comments explaining some "magic numbers" in initializers.
       Originally in 2.67.2.
     - d/p/Fix-non-initialized-variable-in-glib-gvariant-parser.c.patch:
       Make sure an "out" parameter always gets initialized.
       Originally in 2.71.3.
     - d/p/gvariant-serialiser-Prevent-unbounded-recursion-in-is_nor.patch:
       Prevent unbounded recursion when validating variants (glib#2572).
       Originally in 2.71.1, and possibly a denial-of-service fix.
     - d/p/gvariant-Fix-memory-leak-on-a-TYPE_CHECK-failure.patch:
       Avoid a memory leak after a programming error. Originally in 2.71.0.
     - d/p/gvariant-Fix-pointers-being-dereferenced-despite-NULL-che.patch:
       Make it more obvious that NULL dereferences are avoided.
       Originally in 2.71.0.
     - d/p/Do-not-use-ensure_valid_-call-in-g_return_-macro.patch:
       Ensure function calls with side-effects always happen, even if
       checks are disabled (not relevant in Debian, we enable checks).
       Originally in 2.71.3.
     - d/p/gvariant-Factor-out-type-check.patch:
       Help static analyzers to understand a code path. Originally in 2.73.0.
     - d/p/gvariant-Zero-initialise-GVariantBuilder-children-under-s.patch:
       Avoid a static analyzer false-positive. Originally in 2.73.1.
   * d/p/Exclude-g_variant_maybe_get_child_value-from-API-document.patch:
     Add patch to fix a failing documentation check which caused FTBFS, by
     excluding an internal function from API documentation processing.
     No functional change, only comments are affected.
Checksums-Sha1:
 da9a73f985ab5d77eb50beefe5842d36815d6587 3426 glib2.0_2.66.8-1+deb11u1.dsc
 db48359114bf812f4a7ec7e8fe4b24e3515b1f2d 170400 
glib2.0_2.66.8-1+deb11u1.debian.tar.xz
 f83658a8547f542db9a49ce577747df28988b9b9 8420 
glib2.0_2.66.8-1+deb11u1_source.buildinfo
Checksums-Sha256:
 b678c1ca95ef44c920f9bd99ad20a4ce7591c1f3435ed34c44b28690b8531c99 3426 
glib2.0_2.66.8-1+deb11u1.dsc
 fc6f47587a21f470d89ee0348dbcfcfeddffb479c5c609ca06d43116623d878b 170400 
glib2.0_2.66.8-1+deb11u1.debian.tar.xz
 20563804a10a7ffc2873fbba68c363a02140f92a688da634000553dbc0b7f653 8420 
glib2.0_2.66.8-1+deb11u1_source.buildinfo
Files:
 aab1c75f0239cad83620f3a5d4f90b83 3426 libs optional 
glib2.0_2.66.8-1+deb11u1.dsc
 af6eccc23d618efc7b46183f9cdc0333 170400 libs optional 
glib2.0_2.66.8-1+deb11u1.debian.tar.xz
 abbd68d55d986d627f7eeb0e1fce7fce 8420 libs optional 
glib2.0_2.66.8-1+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmU5LUcACgkQ4FrhR4+B
TE9WcA/+MtlgHgEufY7bROezjxc1ubWKuGkkSdjr1chfMt/1J4lBhJR14ydkHeFF
WR6XggOlyw9mfej4z9QRwjWFXnAqQeGQliUyMmez3/hIffvBvc8/msZLovkJHZSb
mDLXIbqxkk7tWpViAc73YOYqNS8cpPsUjzv68XrF0J7Qf7eLVQvnNpDBjh9WUcQn
ImJQ+rhzl0fqQBlPRFdtYh5g1lQDE4ZNlKuZnfhvqYDPar04WUQwRXaFWn2lI5JW
MgDHoLhWHbk+OUZS7Tutk8IJdteZKhPL1BV+UU3EamNCw6Bfcp4thmWXd/SuDic8
ozVyAL1NCwPW6Ts9wrWzIrHkf5ZxVZF+Uf8nt1OWHGglkXDVsrJXWjdimPVNGwzU
C2mk8zYyfilfqpj0utrO/oNs6RJePphI0i2S7w8WYVFPJnXB0mEQW1OI1bZeDrXR
41UZ06cNgOWYDVnY4Y/7Sgs5TA/ZXD0pXYL5qSszAy42fwTPdcpfGfUiWAp5e7Hy
z6hvgzm3Fd8hVrJAUNJlvuSHNUDqm4+sYegXc4wqrJrh3dMuQWpGC8en/fDrks2D
hjGfqBh0R/Xrh11wz9ecjrPT3mKKLB9wYQNBMJt+EbE6hZ9+eZy1skO3nU/m+jFm
xQ1mdErsBQZ1Uyq8FJBbAdxJmPgdmtCGJCh4a5oggPRyeevQn+0=
=FkIH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to