Add patches for CVE-2024-52533 and CVE-2025-4373
Resolves: RHEL-94522 Resolves: RHEL-102852
This commit is contained in:
Michael Catanzaro
parent
4d1eb627e3
commit
3d55ca40c2
45
CVE-2024-52533.patch
Normal file
45
CVE-2024-52533.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Thu, 19 Sep 2024 18:35:53 +0100
|
||||
Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect
|
||||
messages
|
||||
|
||||
`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
|
||||
byte in the connect message, which is an addition in SOCKSv4a vs
|
||||
SOCKSv4.
|
||||
|
||||
This means that the buffer for building and transmitting the connect
|
||||
message could be overflowed if the username and hostname are both
|
||||
`SOCKS4_MAX_LEN` (255) bytes long.
|
||||
|
||||
Proxy configurations are normally statically configured, so the username
|
||||
is very unlikely to be near its maximum length, and hence this overflow
|
||||
is unlikely to be triggered in practice.
|
||||
|
||||
(Commit message by Philip Withnall, diagnosis and fix by Michael
|
||||
Catanzaro.)
|
||||
|
||||
Fixes: #3461
|
||||
---
|
||||
gio/gsocks4aproxy.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
|
||||
index 3dad118eb7..b3146d08fd 100644
|
||||
--- a/gio/gsocks4aproxy.c
|
||||
+++ b/gio/gsocks4aproxy.c
|
||||
@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
|
||||
* +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
|
||||
* | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
|
||||
* +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
|
||||
- * 1 1 2 4 variable 1 variable
|
||||
+ * 1 1 2 4 variable 1 variable 1
|
||||
*/
|
||||
-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
|
||||
+#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
|
||||
static gint
|
||||
set_connect_msg (guint8 *msg,
|
||||
const gchar *hostname,
|
||||
--
|
||||
GitLab
|
||||
|
||||
140
CVE-2025-4373.patch
Normal file
140
CVE-2025-4373.patch
Normal file
@ -0,0 +1,140 @@
|
||||
From cc647f9e46d55509a93498af19659baf9c80f2e3 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Thu, 10 Apr 2025 10:57:20 -0500
|
||||
Subject: [PATCH] gstring: carefully handle gssize parameters
|
||||
|
||||
Wherever we use gssize to allow passing -1, we need to ensure we don't
|
||||
overflow the value by assigning a gsize to it without checking if the
|
||||
size exceeds the maximum gssize. The safest way to do this is to just
|
||||
use normal gsize everywhere instead and use gssize only for the
|
||||
parameter.
|
||||
|
||||
Our computers don't have enough RAM to write tests for this. I tried
|
||||
forcing string->len to high values for test purposes, but this isn't
|
||||
valid and will just cause out of bounds reads/writes due to
|
||||
string->allocated_len being unexpectedly small, so I don't think we can
|
||||
test this easily.
|
||||
---
|
||||
glib/gstring.c | 36 +++++++++++++++++++++++-------------
|
||||
1 file changed, 23 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/glib/gstring.c b/glib/gstring.c
|
||||
index 5279ed3cca..d79a4849c0 100644
|
||||
--- a/glib/gstring.c
|
||||
+++ b/glib/gstring.c
|
||||
@@ -480,8 +480,9 @@ g_string_insert_len (GString *string,
|
||||
return string;
|
||||
|
||||
if (len < 0)
|
||||
- len = strlen (val);
|
||||
- len_unsigned = len;
|
||||
+ len_unsigned = strlen (val);
|
||||
+ else
|
||||
+ len_unsigned = len;
|
||||
|
||||
if (pos < 0)
|
||||
pos_unsigned = string->len;
|
||||
@@ -778,10 +779,12 @@ g_string_insert_c (GString *string,
|
||||
g_string_maybe_expand (string, 1);
|
||||
|
||||
if (pos < 0)
|
||||
- pos = string->len;
|
||||
+ pos_unsigned = string->len;
|
||||
else
|
||||
- g_return_val_if_fail ((gsize) pos <= string->len, string);
|
||||
- pos_unsigned = pos;
|
||||
+ {
|
||||
+ pos_unsigned = pos;
|
||||
+ g_return_val_if_fail (pos_unsigned <= string->len, string);
|
||||
+ }
|
||||
|
||||
/* If not just an append, move the old stuff */
|
||||
if (pos_unsigned < string->len)
|
||||
@@ -814,6 +817,7 @@ g_string_insert_unichar (GString *string,
|
||||
gssize pos,
|
||||
gunichar wc)
|
||||
{
|
||||
+ gsize pos_unsigned;
|
||||
gint charlen, first, i;
|
||||
gchar *dest;
|
||||
|
||||
@@ -855,15 +859,18 @@ g_string_insert_unichar (GString *string,
|
||||
g_string_maybe_expand (string, charlen);
|
||||
|
||||
if (pos < 0)
|
||||
- pos = string->len;
|
||||
+ pos_unsigned = string->len;
|
||||
else
|
||||
- g_return_val_if_fail ((gsize) pos <= string->len, string);
|
||||
+ {
|
||||
+ pos_unsigned = pos;
|
||||
+ g_return_val_if_fail (pos_unsigned <= string->len, string);
|
||||
+ }
|
||||
|
||||
/* If not just an append, move the old stuff */
|
||||
- if ((gsize) pos < string->len)
|
||||
- memmove (string->str + pos + charlen, string->str + pos, string->len - pos);
|
||||
+ if (pos_unsigned < string->len)
|
||||
+ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned);
|
||||
|
||||
- dest = string->str + pos;
|
||||
+ dest = string->str + pos_unsigned;
|
||||
/* Code copied from g_unichar_to_utf() */
|
||||
for (i = charlen - 1; i > 0; --i)
|
||||
{
|
||||
@@ -921,6 +928,7 @@ g_string_overwrite_len (GString *string,
|
||||
const gchar *val,
|
||||
gssize len)
|
||||
{
|
||||
+ gssize len_unsigned;
|
||||
gsize end;
|
||||
|
||||
g_return_val_if_fail (string != NULL, NULL);
|
||||
@@ -932,14 +940,16 @@ g_string_overwrite_len (GString *string,
|
||||
g_return_val_if_fail (pos <= string->len, string);
|
||||
|
||||
if (len < 0)
|
||||
- len = strlen (val);
|
||||
+ len_unsigned = strlen (val);
|
||||
+ else
|
||||
+ len_unsigned = len;
|
||||
|
||||
- end = pos + len;
|
||||
+ end = pos + len_unsigned;
|
||||
|
||||
if (end > string->len)
|
||||
g_string_maybe_expand (string, end - string->len);
|
||||
|
||||
- memcpy (string->str + pos, val, len);
|
||||
+ memcpy (string->str + pos, val, len_unsigned);
|
||||
|
||||
if (end > string->len)
|
||||
{
|
||||
--
|
||||
GitLab
|
||||
From 089070bf53807ad2a81bc0b014ad19016fada2a5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Bloomfield <PeterBloomfield@bellsouth.net>
|
||||
Date: Thu, 10 Apr 2025 22:12:49 -0400
|
||||
Subject: [PATCH] gstring: Make len_unsigned unsigned
|
||||
|
||||
Declare `len_unsigned` as `gsize` instead of `gssize`.
|
||||
---
|
||||
glib/gstring.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/glib/gstring.c b/glib/gstring.c
|
||||
index d79a4849c0..2a399ee21f 100644
|
||||
--- a/glib/gstring.c
|
||||
+++ b/glib/gstring.c
|
||||
@@ -928,7 +928,7 @@ g_string_overwrite_len (GString *string,
|
||||
const gchar *val,
|
||||
gssize len)
|
||||
{
|
||||
- gssize len_unsigned;
|
||||
+ gsize len_unsigned;
|
||||
gsize end;
|
||||
|
||||
g_return_val_if_fail (string != NULL, NULL);
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -21,6 +21,13 @@ Patch: x-gvfs-trash.patch
|
||||
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356
|
||||
Patch: gdatetime-test.patch
|
||||
|
||||
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4281
|
||||
Patch: CVE-2024-52533.patch
|
||||
|
||||
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588
|
||||
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4592
|
||||
Patch: CVE-2025-4373.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gettext
|
||||
|
||||
Loading…
Reference in New Issue
Block a user