Resolve s390x crashes introduced by fixes for CVE-2023-24593/CVE-2023-25180

Related: #2181196
Related: #2181200
This commit is contained in:
Michael Catanzaro 2023-05-25 14:35:00 -05:00
parent 29360e1fc7
commit 3cb7e06236
2 changed files with 74 additions and 2 deletions

65
3136.patch Normal file
View File

@ -0,0 +1,65 @@
From ba2137b0d9ea3744155be81a5ba770c6535b46f3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 15 Dec 2022 12:51:37 +0000
Subject: [PATCH] gvariant-serialiser: Convert endianness of offsets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The array of offsets is little-endian, even on big-endian architectures
like s390x.
Fixes: ade71fb5 "gvariant: Don’t allow child elements to overlap with each other"
Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2839
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
glib/gvariant-serialiser.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
index fadefab659..f443c2eb85 100644
--- a/glib/gvariant-serialiser.c
+++ b/glib/gvariant-serialiser.c
@@ -714,17 +714,19 @@ gvs_variable_sized_array_n_children (GVariantSerialised value)
/* Find the index of the first out-of-order element in @data, assuming that
* @data is an array of elements of given @type, starting at index @start and
* containing a further @len-@start elements. */
-#define DEFINE_FIND_UNORDERED(type) \
+#define DEFINE_FIND_UNORDERED(type, le_to_native) \
static gsize \
find_unordered_##type (const guint8 *data, gsize start, gsize len) \
{ \
gsize off; \
- type current, previous; \
+ type current_le, previous_le, current, previous; \
\
- memcpy (&previous, data + start * sizeof (current), sizeof (current)); \
+ memcpy (&previous_le, data + start * sizeof (current), sizeof (current)); \
+ previous = le_to_native (previous_le); \
for (off = (start + 1) * sizeof (current); off < len * sizeof (current); off += sizeof (current)) \
{ \
- memcpy (&current, data + off, sizeof (current)); \
+ memcpy (&current_le, data + off, sizeof (current)); \
+ current = le_to_native (current_le); \
if (current < previous) \
break; \
previous = current; \
@@ -732,10 +734,11 @@ gvs_variable_sized_array_n_children (GVariantSerialised value)
return off / sizeof (current) - 1; \
}
-DEFINE_FIND_UNORDERED (guint8);
-DEFINE_FIND_UNORDERED (guint16);
-DEFINE_FIND_UNORDERED (guint32);
-DEFINE_FIND_UNORDERED (guint64);
+#define NO_CONVERSION(x) (x)
+DEFINE_FIND_UNORDERED (guint8, NO_CONVERSION);
+DEFINE_FIND_UNORDERED (guint16, GUINT16_FROM_LE);
+DEFINE_FIND_UNORDERED (guint32, GUINT32_FROM_LE);
+DEFINE_FIND_UNORDERED (guint64, GUINT64_FROM_LE);
static GVariantSerialised
gvs_variable_sized_array_get_child (GVariantSerialised value,
--
GitLab

View File

@ -1,6 +1,6 @@
Name: glib2 Name: glib2
Version: 2.68.4 Version: 2.68.4
Release: 8%{?dist} Release: 9%{?dist}
Summary: A library of handy utility functions Summary: A library of handy utility functions
License: LGPLv2+ License: LGPLv2+
@ -33,8 +33,10 @@ Patch7: 2435.patch
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
Patch8: 3126.patch Patch8: 3126.patch
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3136
Patch9: 3136.patch
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3163 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3163
Patch9: 3163.patch Patch10: 3163.patch
BuildRequires: chrpath BuildRequires: chrpath
BuildRequires: gcc BuildRequires: gcc
@ -252,6 +254,11 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%{_datadir}/installed-tests %{_datadir}/installed-tests
%changelog %changelog
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.68.4-9
- Resolve s390x crashes introduced by fixes for CVE-2023-24593/CVE-2023-25180
- Related: #2181196
- Related: #2181200
* Wed May 17 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.68.4-8 * Wed May 17 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.68.4-8
- Resolve use after free introduced by fixes for CVE-2023-24593/CVE-2023-25180 - Resolve use after free introduced by fixes for CVE-2023-24593/CVE-2023-25180
- Related: #2181196 - Related: #2181196