diff --git a/backport-CVE-2020-35457.patch b/backport-CVE-2020-35457.patch new file mode 100644 index 0000000000000000000000000000000000000000..66b1b281e638f2653e62fdedc742ebf4fbcfecf6 --- /dev/null +++ b/backport-CVE-2020-35457.patch @@ -0,0 +1,36 @@ +From 63c5b62f0a984fac9a9700b12f54fe878e016a5d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 2 Sep 2020 12:38:09 +0100 +Subject: [PATCH] goption: Add a precondition to avoid GOptionEntry list + overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +reason:Add a precondition to avoid GOptionEntry list overflow +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/63c5b62f0a984fac9a9700b12f54fe878e016a5d + +Signed-off-by: Philip Withnall + +Fixes: #2197 +--- + glib/goption.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/glib/goption.c b/glib/goption.c +index 9f5b977c4..bb9093a33 100644 +--- a/glib/goption.c ++++ b/glib/goption.c +@@ -2422,6 +2422,8 @@ g_option_group_add_entries (GOptionGroup *group, + + for (n_entries = 0; entries[n_entries].long_name != NULL; n_entries++) ; + ++ g_return_if_fail (n_entries <= G_MAXSIZE - group->n_entries); ++ + group->entries = g_renew (GOptionEntry, group->entries, group->n_entries + n_entries); + + /* group->entries could be NULL in the trivial case where we add no +-- +GitLab + diff --git a/backport-CVE-2021-27218.patch b/backport-CVE-2021-27218.patch new file mode 100644 index 0000000000000000000000000000000000000000..8fcf8d16e3bcfa5b145322a994e4f42aa454bfcd --- /dev/null +++ b/backport-CVE-2021-27218.patch @@ -0,0 +1,130 @@ +From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 10 Feb 2021 23:51:07 +0100 +Subject: [PATCH] gbytearray: Do not accept too large byte arrays + +GByteArray uses guint for storing the length of the byte array, but it +also has a constructor (g_byte_array_new_take) that takes length as a +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits +for guint). It is possible to call the function with a value greater +than G_MAXUINT, which will result in silent length truncation. This +may happen as a result of unreffing GBytes into GByteArray, so rather +be loud about it. + +(Test case tweaked by Philip Withnall.) + +(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for +`g_memdup2()`.) + +--- + glib/garray.c | 6 ++++++ + glib/gbytes.c | 4 ++++ + glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++- + 3 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/glib/garray.c b/glib/garray.c +index 38f64b8..d303946 100644 +--- a/glib/garray.c ++++ b/glib/garray.c +@@ -2010,6 +2010,10 @@ g_byte_array_new (void) + * Create byte array containing the data. The data will be owned by the array + * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). + * ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray ++ * stores the length of its data in #guint, which may be shorter than ++ * #gsize. ++ * + * Since: 2.32 + * + * Returns: (transfer full): a new #GByteArray +@@ -2021,6 +2025,8 @@ g_byte_array_new_take (guint8 *data, + GByteArray *array; + GRealArray *real; + ++ g_return_val_if_fail (len <= G_MAXUINT, NULL); ++ + array = g_byte_array_new (); + real = (GRealArray *)array; + g_assert (real->data == NULL); +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 7b72886..d56abe6 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes, + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all + * other cases the data is copied. + * ++ * Do not use it if @bytes contains more than %G_MAXUINT ++ * bytes. #GByteArray stores the length of its data in #guint, which ++ * may be shorter than #gsize, that @bytes is using. ++ * + * Returns: (transfer full): a new mutable #GByteArray containing the same byte data + * + * Since: 2.32 +diff --git a/glib/tests/bytes.c b/glib/tests/bytes.c +index 5ea5c2b..453454b 100644 +--- a/glib/tests/bytes.c ++++ b/glib/tests/bytes.c +@@ -10,12 +10,12 @@ + */ + + #undef G_DISABLE_ASSERT +-#undef G_LOG_DOMAIN + + #include + #include + #include + #include "glib.h" + + /* Keep in sync with glib/gbytes.c */ + struct _GBytes +@@ -333,6 +333,38 @@ test_to_array_transferred (void) + g_byte_array_unref (array); + } + ++static void ++test_to_array_transferred_oversize (void) ++{ ++ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to " ++ "G_MAXUINT in length; test that longer ones are rejected"); ++ ++ if (sizeof (guint) >= sizeof (gsize)) ++ { ++ g_test_skip ("Skipping test as guint is not smaller than gsize"); ++ } ++ else if (g_test_undefined ()) ++ { ++ GByteArray *array = NULL; ++ GBytes *bytes = NULL; ++ gpointer data = g_memdup2 (NYAN, N_NYAN); ++ gsize len = ((gsize) G_MAXUINT) + 1; ++ ++ bytes = g_bytes_new_take (data, len); ++ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL, ++ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed"); ++ array = g_bytes_unref_to_array (g_steal_pointer (&bytes)); ++ g_test_assert_expected_messages (); ++ g_assert_null (array); ++ ++ g_free (data); ++ } ++ else ++ { ++ g_test_skip ("Skipping test as testing undefined behaviour is disabled"); ++ } ++} ++ + static void + test_to_array_two_refs (void) + { +@@ -408,6 +440,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/bytes/to-data/two-refs", test_to_data_two_refs); + g_test_add_func ("/bytes/to-data/non-malloc", test_to_data_non_malloc); + g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred); ++ g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize); + g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs); + g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc); + g_test_add_func ("/bytes/null", test_null); +-- +2.23.0 + diff --git a/glib2.spec b/glib2.spec index e63c4e4640774bd76fe88bb67d21df5e70597dea..9bc253f80891d76fdbf310328f4cadf3c56d64d4 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,11 +1,14 @@ Name: glib2 Version: 2.62.5 -Release: 1 +Release: 2 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: http://www.gtk.org Source0: http://download.gnome.org/sources/glib/2.62/glib-%{version}.tar.xz +Patch0001: backport-CVE-2021-27218.patch +Patch0002: backport-CVE-2020-35457.patch + Patch9001: fix-accidentally-delete-temp-file-within-dtrace.patch BuildRequires: chrpath gcc gcc-c++ gettext gtk-doc perl-interpreter @@ -143,6 +146,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %doc %{_datadir}/gtk-doc/html/* %changelog +* Sat Feb 27 2021 wangye - 2.62.5-2 +- Type:CVE +- Id:NA +- SUG:NA +- DESC:fix CVE-2021-27218 CVE-2020-35457 + * Thu Jul 21 2020 hanhui - 2.62.5-1 - Update to 2.62.5