Skip to content
Snippets Groups Projects

Draft: [Debian 11] d/patches: Backport GVariant denial-of-service fixes from 2.74.x

Closed Draft: [Debian 11] d/patches: Backport GVariant denial-of-service fixes from 2.74.x
wip/bullseye-bug1028475 into debian/bullseye
1 unresolved thread
Closed Simon McVittie requested to merge wip/bullseye-bug1028475 into debian/bullseye
1 unresolved thread

Closes: #1028475

Merge request reports

Closed by Simon McVittieSimon McVittie 1 year ago (Jan 11, 2024 2:49pm UTC)

Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
debian/changelog
31 d/p/gvariant-Allow-g_variant_byteswap-to-operate-on-tree-form.patch:
32 Fix handling of GVariant normal forms, to avoid non-linear processing
33 time, which can be a denial of service if parsing an untrusted
34 GVariant in its binary form
35 (glib#2121, glib#2540, glib#2794, glib#2797;
36 CVE-2023-32665, CVE-2023-32611, CVE-2023-29499)
37 - d/p/gvariant-serialiser-Convert-endianness-of-offsets.patch:
38 Fix a regression causing a crash on big-endian architectures after
39 the above fixes (glib#2839)
40 - d/p/gvariant-Check-offset-table-doesn-t-fall-outside-variant-.patch:
41 Fix a buffer overflow after the above fixes
42 (glib#2840, CVE-2023-32643, oss-fuzz#54302)
43 - d/p/gvariant-Propagate-trust-when-getting-a-child-of-a-serial.patch:
44 Fix a non-linear processing time (denial of service) for GVariant in
45 its binary form after the above fixes
46 (glib#2841, CVE-2023-32636, oss-fuzz#54314)
  • Comment on lines +42 to +46
    Santiago R.R.
    Santiago R.R. @santiago

    @carnil could confirm, not sure if for a(n old)stable point release matters, but I understand CVE-2023-32643 and CVE-2023-32636 shouldn't be mentioned in d/changelog, since they were not affecting the current version in bullseye.

  • Simon McVittie
    Simon McVittie @smcv
    Author Maintainer

    They're regressions caused by an incorrect initial version of the fixes for CVE-2023-32665, CVE-2023-32611 and/or CVE-2023-29499; so, yes, they never affected bullseye, and never will if we take this update (rather than some other backport).

    I thought it was better to mention them in the changelog than not, to be clear that this is not an incomplete backport with only the initial fixes for CVE-2023-32665, CVE-2023-32611 and CVE-2023-29499 (which would have introduced the new vulns CVE-2023-32643 and CVE-2023-32636).

  • Salvatore Bonaccorso
    Salvatore Bonaccorso @carnil

    Right, the CVEs do not apply and this is as well how we will track in the security-tracker itself (as no incomplete fix was applied in a released version, cf. as well security-tracker-team/security-tracker@f343708c)

  • Simon McVittie
    Simon McVittie @smcv
    Author Maintainer

    I agree that if we take this update, CVE-2023-32643 and CVE-2023-32636 will never have affected bullseye.

    Do you require me to remove references to those CVEs from the changelog, or is it OK to keep it as-is?

    I thought that the information "I have made sure to fix CVE-2023-32665, CVE-2023-32611 and CVE-2023-29499 without introducing CVE-2023-32643 and CVE-2023-32636" was a useful thing for the changelog to say, so if the security team is not vetoing the version proposed here, I would prefer to upload it as-is.

  • Salvatore Bonaccorso
    Salvatore Bonaccorso @carnil

    @smcv, sorry for the late reply.

    I believe we can keep this verbose information in the changelog. I just wanted to clarify how we are tracking it from security-tracker point of view. So no, no requirement on removing that information.

  • Please register or sign in to reply
  • Simon McVittie
    Simon McVittie @smcv
    Author Maintainer

    2.66.8-1+deb11u1 is queued in bullseye-proposed-updates.

  • Simon McVittie closed

    closed

    • Please register or sign in to reply