From 2bd0532f279306ecc89107cc64114978253778da Mon Sep 17 00:00:00 2001 From: jzm369 Date: Wed, 3 Mar 2021 19:07:04 +0800 Subject: [PATCH] fix CVE-2021-27218 --- backport-CVE-2021-27218.patch | 60 +++++++++++++++++++++++++++++++++++ glib2.spec | 6 +++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-27218.patch diff --git a/backport-CVE-2021-27218.patch b/backport-CVE-2021-27218.patch new file mode 100644 index 0000000..86f4cdb --- /dev/null +++ b/backport-CVE-2021-27218.patch @@ -0,0 +1,60 @@ +From acb7b0ec69f26a7df10af3992359890b09f076e8 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 10 Feb 2021 23:51:07 +0100 +Subject: [PATCH] gbytearray: Do not accept too large byte arrays + +GByteArray uses guint for storing the length of the byte array, but it +also has a constructor (g_byte_array_new_take) that takes length as a +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits +for guint). It is possible to call the function with a value greater +than G_MAXUINT, which will result in silent length truncation. This +may happen as a result of unreffing GBytes into GByteArray, so rather +be loud about it. + +(Test case tweaked by Philip Withnall.) +--- + glib/garray.c | 6 ++++++ + glib/gbytes.c | 4 ++++ + 2 files changed, 10 insertions(+) + +diff --git a/glib/garray.c b/glib/garray.c +index de720210c..2b66f16a6 100644 +--- a/glib/garray.c ++++ b/glib/garray.c +@@ -2261,6 +2261,10 @@ g_byte_array_steal (GByteArray *array, + * Create byte array containing the data. The data will be owned by the array + * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). + * ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray ++ * stores the length of its data in #guint, which may be shorter than ++ * #gsize. ++ * + * Since: 2.32 + * + * Returns: (transfer full): a new #GByteArray +@@ -2272,6 +2276,8 @@ g_byte_array_new_take (guint8 *data, + GByteArray *array; + GRealArray *real; + ++ g_return_val_if_fail (len <= G_MAXUINT, NULL); ++ + array = g_byte_array_new (); + real = (GRealArray *)array; + g_assert (real->data == NULL); +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 00fd79155..aaadf451b 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes, + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all + * other cases the data is copied. + * ++ * Do not use it if @bytes contains more than %G_MAXUINT ++ * bytes. #GByteArray stores the length of its data in #guint, which ++ * may be shorter than #gsize, that @bytes is using. ++ * + * Returns: (transfer full): a new mutable #GByteArray containing the same byte data + * + * Since: 2.32 +-- +GitLab diff --git a/glib2.spec b/glib2.spec index 16bd32c..e9f819a 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.62.5 -Release: 4 +Release: 5 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: http://www.gtk.org @@ -28,6 +28,7 @@ Patch6017: backport-gsocketclient-return-best-errors-possible.patch Patch6018: backport-gsignal-Plug-g-signal-connect-object-leak.patch Patch6019: backport-Fix-the-6-days-until-the-end-of-the-month-bug.patch Patch6020: backport-gsocketclient-fix-crash-when-async-connectio-step-fails.patch +Patch6021: backport-CVE-2021-27218.patch BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter %ifnarch i686 @@ -198,6 +199,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %endif %changelog +* Wed Mar 03 2021 jinzhimin - 2.62.5-5 +- fix CVE-2021-27218 + * Thu Feb 18 2021 jinzhimin - 2.62.5-4 - round community patches -- Gitee