From 2ed5d7c685f042926264614c08c002b173e1c702 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=AE=81=E6=9D=B0?= Date: Tue, 12 Nov 2024 02:26:53 +0000 Subject: [PATCH] Fix CVE-2024-52533 (cherry picked from commit c9e7a0941323c46f4433caa781fb17b4bc2e4691) --- backport-CVE-2024-52533.patch | 44 +++++++++++++++++++++++++++++++++++ glib2.spec | 6 ++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-52533.patch diff --git a/backport-CVE-2024-52533.patch b/backport-CVE-2024-52533.patch new file mode 100644 index 0000000..661c43c --- /dev/null +++ b/backport-CVE-2024-52533.patch @@ -0,0 +1,44 @@ +From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb7..b3146d08fd 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +GitLab diff --git a/glib2.spec b/glib2.spec index 8ce9ea8..112581e 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.78.6 -Release: 3 +Release: 4 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPL-2.1-or-later URL: https://www.gtk.org @@ -10,6 +10,7 @@ Patch1: gspawn-eperm.patch Patch2: backport-gutils-Fix-an-unlikely-minor-leak-in-g_build_user_data_dir.patch Patch3: gio-fix-filesystem-type-ext-err.patch Patch4: Correct-translation-information.patch +Patch5: backport-CVE-2024-52533.patch BuildRequires: gcc gettext BuildRequires: meson >= 0.60.0 @@ -192,6 +193,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %doc %{_datadir}/gtk-doc/html/* %changelog +* Tue Nov 12 2024 liningjie - 2.78.6-4 +- Fix CVE-2024-52533 + * Thu Oct 24 2024 GuoCe - 2.78.6-3 - Correct translation information -- Gitee