From 33a35cb41b527af0f39d720e24045f3d9d34bc3d Mon Sep 17 00:00:00 2001 From: Konstantin Kostiuk Date: Tue, 26 Nov 2024 13:24:24 +0200 Subject: [PATCH] Fix buffer overflow in set_connect_msg Resolve: RHEL-67088 - CVE-2024-52533 Signed-off-by: Konstantin Kostiuk --- ...3-buffer-overflow-in-set_connect_msg.patch | 45 +++++++++++++++++++ mingw-glib2.spec | 9 +++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch diff --git a/CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch b/CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch new file mode 100644 index 0000000..c677cfc --- /dev/null +++ b/CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch @@ -0,0 +1,45 @@ +From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb7..b3146d08fd 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +GitLab + diff --git a/mingw-glib2.spec b/mingw-glib2.spec index 5ae6ba2..0d9b984 100644 --- a/mingw-glib2.spec +++ b/mingw-glib2.spec @@ -2,7 +2,7 @@ Name: mingw-glib2 Version: 2.78.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: MinGW Windows GLib2 library License: LGPL-2.0-or-later @@ -44,6 +44,10 @@ BuildRequires: python3-devel # https://bugzilla.gnome.org/show_bug.cgi?id=674214 Patch1: 0001-Use-CreateFile-on-Win32-to-make-sure-g_unlink-always.patch +# https://issues.redhat.com/browse/RHEL-67089 +# https://gitlab.gnome.org/GNOME/glib/-/issues/3461 +Patch2: CVE-2024-52533-buffer-overflow-in-set_connect_msg.patch + # Prefer the use of GCC constructors over DllMain # This prevents having to depend on DllMain in static libraries # http://lists.fedoraproject.org/pipermail/mingw/2013-March/006429.html @@ -279,6 +283,9 @@ find %{buildroot} -name "*.la" -delete %changelog +* Tue Nov 26 2024 Konstantin Kostiuk - 2.78.6-2 +- Resolves: RHEL-67088 - CVE-2024-52533 mingw-glib2: buffer overflow in set_connect_msg() + * Tue May 21 2024 Konstantin Kostiuk - 2.78.6-1 - Bump glib2 version 2.78.6 - Fix CVEs: CVE-2024-34397