From d753555b98db3f8d5af4f36df335090728ca6288 Mon Sep 17 00:00:00 2001 From: Simon McVittie <smcv@debian.org> Date: Thu, 14 Nov 2024 09:42:34 +0000 Subject: [PATCH 1/2] Import Debian changes 2.74.6-2+deb12u5 --- debian/changelog | 8 ++++ ...ingle-byte-buffer-overflow-in-connec.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 53 insertions(+) create mode 100644 debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch diff --git a/debian/changelog b/debian/changelog index 173b14c..ba85f9e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium + + * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch: + Fix a buffer overflow when configured to use a SOCKS4a proxy with a + very long username (CVE-2024-52533, Closes: #1087419) + + -- Simon McVittie <smcv@debian.org> Thu, 14 Nov 2024 09:42:34 +0000 + glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium [ Helmut Grohne ] diff --git a/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch b/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch new file mode 100644 index 0000000..5e4be5c --- /dev/null +++ b/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch @@ -0,0 +1,44 @@ +From: Michael Catanzaro <mcatanzaro@redhat.com> +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +CVE-2024-52533 + +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461 +Bug-Debian: https://bugs.debian.org/1087419 +Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118..b3146d0 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, diff --git a/debian/patches/series b/debian/patches/series index bc34651..f903721 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -43,3 +43,4 @@ CVE-2024-34397/tests-Ensure-that-unsubscribing-with-GetNameOwner-in-flig.patch CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch +gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch -- GitLab From b564859d1a649a1be4e58bd7f74fb57494d6182e Mon Sep 17 00:00:00 2001 From: Apertis CI robot <devel@lists.apertis.org> Date: Fri, 17 Jan 2025 10:55:22 +0000 Subject: [PATCH 2/2] Release glib2.0 version 2.74.6-2+deb12u5+apertis1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com> --- debian/changelog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/debian/changelog b/debian/changelog index d0f391d..8a91427 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +glib2.0 (2.74.6-2+deb12u5+apertis1) apertis; urgency=medium + + * Sync from debian/bookworm. + * Remaining Apertis specific changes: + - Inject -Wno-error=format-overflow -Wno-error=format-truncation in + debian/rules. In contrary to Debian, we use by default -Wformat-overflow=2 + and -Wformat-truncation=2 in Apertis, but due to the use of -Werror this + package FTBFS with: "cc1: all warnings being treated as errors". + In order to avoid this error, we don't treat these warnings as errors. + + -- Apertis CI <devel@lists.apertis.org> Fri, 17 Jan 2025 10:55:22 +0000 + glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch: -- GitLab