diff --git a/backport-CVE-2021-27218.patch b/backport-CVE-2021-27218.patch new file mode 100644 index 0000000000000000000000000000000000000000..86f4cdb1c9bb6f7ed10dda6d4babbaea483079a3 --- /dev/null +++ b/backport-CVE-2021-27218.patch @@ -0,0 +1,60 @@ +From acb7b0ec69f26a7df10af3992359890b09f076e8 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 10 Feb 2021 23:51:07 +0100 +Subject: [PATCH] gbytearray: Do not accept too large byte arrays + +GByteArray uses guint for storing the length of the byte array, but it +also has a constructor (g_byte_array_new_take) that takes length as a +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits +for guint). It is possible to call the function with a value greater +than G_MAXUINT, which will result in silent length truncation. This +may happen as a result of unreffing GBytes into GByteArray, so rather +be loud about it. + +(Test case tweaked by Philip Withnall.) +--- + glib/garray.c | 6 ++++++ + glib/gbytes.c | 4 ++++ + 2 files changed, 10 insertions(+) + +diff --git a/glib/garray.c b/glib/garray.c +index de720210c..2b66f16a6 100644 +--- a/glib/garray.c ++++ b/glib/garray.c +@@ -2261,6 +2261,10 @@ g_byte_array_steal (GByteArray *array, + * Create byte array containing the data. The data will be owned by the array + * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). + * ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray ++ * stores the length of its data in #guint, which may be shorter than ++ * #gsize. ++ * + * Since: 2.32 + * + * Returns: (transfer full): a new #GByteArray +@@ -2272,6 +2276,8 @@ g_byte_array_new_take (guint8 *data, + GByteArray *array; + GRealArray *real; + ++ g_return_val_if_fail (len <= G_MAXUINT, NULL); ++ + array = g_byte_array_new (); + real = (GRealArray *)array; + g_assert (real->data == NULL); +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 00fd79155..aaadf451b 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes, + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all + * other cases the data is copied. + * ++ * Do not use it if @bytes contains more than %G_MAXUINT ++ * bytes. #GByteArray stores the length of its data in #guint, which ++ * may be shorter than #gsize, that @bytes is using. ++ * + * Returns: (transfer full): a new mutable #GByteArray containing the same byte data + * + * Since: 2.32 +-- +GitLab diff --git a/glib2.spec b/glib2.spec index a4ddd575ea98840b537d8ce8f3d962bea54ff1d9..5dbe3be7cbd70e0a70bb43a66ec5b18c61b34183 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.62.5 -Release: 2 +Release: 3 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: http://www.gtk.org @@ -8,6 +8,7 @@ Source0: http://download.gnome.org/sources/glib/2.62/glib-%{version}.tar. Patch9001: fix-accidentally-delete-temp-file-within-dtrace.patch Patch6000: backport-CVE-2020-35457.patch +Patch6001: backport-CVE-2021-27218.patch BuildRequires: chrpath gcc gcc-c++ gettext gtk-doc perl-interpreter BUildRequires: glibc-devel libattr-devel libselinux-devel meson @@ -144,6 +145,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %doc %{_datadir}/gtk-doc/html/* %changelog +* Mon Mar 1 2021 jinzhimin - 2.62.5-3 +- Type:cve +- Id:CVE-2021-27218 +- SUG:NA +- DESC:fix CVE-2021-27218 + * Sat Feb 27 2021 zhujunhao - 2.62.5-2 - Type:cve - Id:CVE-2020-35457