!223 [sync] PR-217: Fix CVE-2024-52533

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-11-14 01:14:45 +00:00 · 2024-11-14 01:14:45 +00:00 · c660190582
commit c660190582
parent 423b1d8cd8 57c311f79f
2 changed files with 49 additions and 1 deletions
--- a/backport-CVE-2024-52533.patch
+++ b/backport-CVE-2024-52533.patch
@ -0,0 +1,44 @@
+From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect
+ messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+Fixes: #3461
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118eb7..b3146d08fd 100644
+--- a/gio/gsocks4aproxy.c
+++ b/gio/gsocks4aproxy.c
+@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
+  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+  * | VN | CD | DSTPORT |      DSTIP        | USERID       |NULL| HOST |    | NULL |
+  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- *    1    1      2              4           variable       1    variable
+ *    1    1      2              4           variable       1    variable    1
+  */
+-#define SOCKS4_CONN_MSG_LEN	    (9 + SOCKS4_MAX_LEN * 2)
+#define SOCKS4_CONN_MSG_LEN	    (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8      *msg,
+ 		 const gchar *hostname,
+-- 
+GitLab
--- a/glib2.spec
+++ b/glib2.spec
@ -1,6 +1,6 @@
 Name:           glib2
 Version:        2.72.2
-Release:        18
+Release:        19
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            http://www.gtk.org
@ -88,6 +88,7 @@ patch6074:      backport-gresources-fix-memory-leak-from-libelf.patch
 patch6075:      backport-gcontextspecificgroup-Wait-until-stop_func-is-done.patch
 patch6076:      backport-gsocketclient-Fix-a-use-after-free-in-g_socket_client_connected_callback.patch
 patch6077:      backport-gdbusmessage-Clean-the-cached-arg0-when-setting-the-message-body.patch
+patch6078:      backport-CVE-2024-52533.patch

 BuildRequires:  chrpath gcc gcc-c++ gettext perl-interpreter
 BUildRequires:  glibc-devel libattr-devel libselinux-devel meson
@ -274,6 +275,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %endif

 %changelog
+* Tue Nov 12 2024 liningjie <liningjie@xfusion.com> - 2.72.2-19
+- Fix CVE-2024-52533
+
 * Mon Oct 28 2024 GuoCe <guoce@kylinos.cn> - 2.72.2-18
 - Correct translation information