From 1f5705e14c8e5709a220b32293661fd7b0f9345e Mon Sep 17 00:00:00 2001 From: Adrian Bunk <bunk@debian.org> Date: Mon, 18 Nov 2024 13:11:51 +0200 Subject: [PATCH 1/2] Import Debian changes 2.66.8-1+deb11u5 --- debian/changelog | 7 +++ ...x-a-single-byte-buffer-overflow-in-c.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 52 insertions(+) create mode 100644 debian/patches/0001-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch diff --git a/debian/changelog b/debian/changelog index 72c169f..2dbbea1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +glib2.0 (2.66.8-1+deb11u5) bullseye-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2024-52533: SOCKS4a proxy buffer overflow + + -- Adrian Bunk <bunk@debian.org> Mon, 18 Nov 2024 13:11:51 +0200 + glib2.0 (2.66.8-1+deb11u4) bullseye; urgency=medium * d/p/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch: diff --git a/debian/patches/0001-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch b/debian/patches/0001-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch new file mode 100644 index 0000000..f2641ee --- /dev/null +++ b/debian/patches/0001-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch @@ -0,0 +1,44 @@ +From ed0a8e858c5fef928b8eec4c473569c6007131b2 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@redhat.com> +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 988ddaf56..c7c5d5ef6 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -77,9 +77,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +2.30.2 + diff --git a/debian/patches/series b/debian/patches/series index dc63a95..4d1de2b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -73,3 +73,4 @@ CVE-2024-34397/tests-Add-a-test-for-signal-filtering-by-well-known-name.patch CVE-2024-34397/tests-Ensure-that-unsubscribing-with-GetNameOwner-in-flig.patch CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch +0001-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-c.patch -- GitLab From e889dcfc973b5b53065ed37bef28a824976e3c1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dylan=20A=C3=AFssi?= <devel@lists.apertis.org> Date: Mon, 25 Nov 2024 08:24:52 +0000 Subject: [PATCH 2/2] Release glib2.0 version 2.66.8-1+deb11u5+apertis0 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index ad4d902..fb204dc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +glib2.0 (2.66.8-1+deb11u5+apertis0) apertis; urgency=medium + + * Sync from debian/bullseye-security. + + -- Apertis CI <devel@lists.apertis.org> Mon, 25 Nov 2024 08:24:52 +0000 + glib2.0 (2.66.8-1+deb11u5) bullseye-security; urgency=medium * Non-maintainer upload by the LTS Team. -- GitLab