From 993ea53edf9fb927df0c23b67eaf38e810cdaa44 Mon Sep 17 00:00:00 2001 From: abushwang Date: Mon, 18 Nov 2024 10:06:52 +0800 Subject: [PATCH] fix CVE-2024-52533 Signed-off-by: abushwang --- ...x-a-single-byte-buffer-overflow-in-c.patch | 45 +++++++++++++++++++ glib2.spec | 7 ++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-52533-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch diff --git a/CVE-2024-52533-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch b/CVE-2024-52533-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch new file mode 100644 index 0000000..81b77b4 --- /dev/null +++ b/CVE-2024-52533-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch @@ -0,0 +1,45 @@ +From ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb..b3146d08f 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +2.39.3 + diff --git a/glib2.spec b/glib2.spec index 9a29a20..628634f 100644 --- a/glib2.spec +++ b/glib2.spec @@ -3,12 +3,14 @@ Summary: A low-level core library forms the basis for projects such as GTK and GNOME. Name: glib2 Version: 2.78.3 -Release: 4%{?dist} +Release: 5%{?dist} License: LGPLv2+ URL: https://docs.gtk.org/glib/ Source0: https://download.gnome.org/sources/glib/%{url_ver}/glib-%{version}.tar.xz Source1: glib-run-installed-tests +Patch0001: CVE-2024-52533-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch + BuildRequires: gcc, gcc-c++, meson, perl-interpreter BuildRequires: gettext, xsltproc, docbook-xsl, gtk-doc BuildRequires: glibc-devel, libattr-devel, libselinux-devel, systemtap-sdt-devel, python3-devel @@ -187,6 +189,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Mon Nov 18 2024 Shuo Wang - 2.78.3-5 +- gsocks4aproxy: Fix a single byte buffer overflow in connect messages + * Thu Sep 26 2024 OpenCloudOS Release Engineering - 2.78.3-4 - Rebuilt for clarifying the packages requirement in BaseOS and AppStream -- Gitee