Fix buffer overflow in set_connect_msg

Resolve: RHEL-67088 - CVE-2024-52533 Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
2024-11-26 13:24:24 +02:00 · 2024-11-26 13:24:24 +02:00 · 33a35cb41b
commit 33a35cb41b
parent 593c091960
2 changed files with 53 additions and 1 deletions
--- a/CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch
+++ b/CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch
@ -0,0 +1,45 @@
+From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect
+ messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+Fixes: #3461
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118eb7..b3146d08fd 100644
+--- a/gio/gsocks4aproxy.c
+++ b/gio/gsocks4aproxy.c
+@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
+  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+  * | VN | CD | DSTPORT |      DSTIP        | USERID       |NULL| HOST |    | NULL |
+  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- *    1    1      2              4           variable       1    variable
+ *    1    1      2              4           variable       1    variable    1
+  */
+-#define SOCKS4_CONN_MSG_LEN	    (9 + SOCKS4_MAX_LEN * 2)
+#define SOCKS4_CONN_MSG_LEN	    (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8      *msg,
+ 		 const gchar *hostname,
+-- 
+GitLab
+
--- a/mingw-glib2.spec
+++ b/mingw-glib2.spec
@ -2,7 +2,7 @@

 Name:           mingw-glib2
 Version:        2.78.6
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        MinGW Windows GLib2 library

 License:        LGPL-2.0-or-later
@ -44,6 +44,10 @@ BuildRequires:  python3-devel
 # https://bugzilla.gnome.org/show_bug.cgi?id=674214
 Patch1:         0001-Use-CreateFile-on-Win32-to-make-sure-g_unlink-always.patch

+# https://issues.redhat.com/browse/RHEL-67089
+# https://gitlab.gnome.org/GNOME/glib/-/issues/3461
+Patch2:         CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch
+
 # Prefer the use of GCC constructors over DllMain
 # This prevents having to depend on DllMain in static libraries
 # http://lists.fedoraproject.org/pipermail/mingw/2013-March/006429.html
@ -279,6 +283,9 @@ find %{buildroot} -name "*.la" -delete


 %changelog
+* Tue Nov 26 2024 Konstantin Kostiuk <kkostiuk@redhat.com> - 2.78.6-2
+- Resolves: RHEL-67088 - CVE-2024-52533 mingw-glib2: buffer overflow in set_connect_msg()
+
 * Tue May 21 2024 Konstantin Kostiuk <kkostiuk@redhat.com> - 2.78.6-1
 - Bump glib2 version 2.78.6
 - Fix CVEs: CVE-2024-34397