Simon McVittie
2024-11-16 23:30:01 UTC
Reply
Permalinkquoted below.
[ Reason ]
CVE-2024-52533, https://bugs.debian.org/1087419
[ Impact ]
Heap/stack buffer overflow with unknown impact (most likely just denial
of service via a crash) for users of SOCKS4a proxies.
Mitigation: the overflow only occurs in the unusual situation that the
proxy was configured with a 255-byte username (I don't know whether proxy
autoconfiguration can set up this situation), and the user is also
connecting to a 255-byte hostname.
The security team does not intend to issue a DSA for this minor
vulnerability.
[ Tests ]
Not specifically tested, I don't know where to find an example of a
SOCKS4a proxy.
An upgraded bookworm GNOME desktop system runs normally.
[ Risks ]
I would say this is low risk despite the lack of test coverage: the only
change is to make a buffer 1 byte larger in two places (one on the stack,
one on the heap) to ensure that a maximally-long message cannot exceed
the buffer size.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All proposed changes are relevant to CVE-2024-52533.
[ Other info ]
GLib has a udeb, so this needs a d-i ack (although I can't think of any
reason why the affected code would run in a d-i context).
diffstat for glib2.0-2.74.6 glib2.0-2.74.6
changelog | 8 +
patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch | 44 ++++++++++
patches/series | 1
3 files changed, 53 insertions(+)
diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/changelog 2024-11-14 09:42:34.000000000 +0000
@@ -1,3 +1,11 @@
+glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
+
+ Fix a buffer overflow when configured to use a SOCKS4a proxy with a
+ very long username (CVE-2024-52533, Closes: #1087419)
+
+
glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
[ Helmut Grohne ]
diff -Nru glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
--- glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 2024-11-14 09:42:34.000000000 +0000
@@ -0,0 +1,44 @@
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+CVE-2024-52533
+
+Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
+Bug-Debian: https://bugs.debian.org/1087419
+Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118..b3146d0 100644
+--- a/gio/gsocks4aproxy.c
++++ b/gio/gsocks4aproxy.c
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+ * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- * 1 1 2 4 variable 1 variable
++ * 1 1 2 4 variable 1 variable 1
+ */
+-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8 *msg,
+ const gchar *hostname,
diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series
--- glib2.0-2.74.6/debian/patches/series 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/patches/series 2024-11-14 09:42:34.000000000 +0000
@@ -43,3 +43,4 @@
CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch
CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
+gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
CVE-2024-52533, https://bugs.debian.org/1087419
[ Impact ]
Heap/stack buffer overflow with unknown impact (most likely just denial
of service via a crash) for users of SOCKS4a proxies.
Mitigation: the overflow only occurs in the unusual situation that the
proxy was configured with a 255-byte username (I don't know whether proxy
autoconfiguration can set up this situation), and the user is also
connecting to a 255-byte hostname.
The security team does not intend to issue a DSA for this minor
vulnerability.
[ Tests ]
Not specifically tested, I don't know where to find an example of a
SOCKS4a proxy.
An upgraded bookworm GNOME desktop system runs normally.
[ Risks ]
I would say this is low risk despite the lack of test coverage: the only
change is to make a buffer 1 byte larger in two places (one on the stack,
one on the heap) to ensure that a maximally-long message cannot exceed
the buffer size.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All proposed changes are relevant to CVE-2024-52533.
[ Other info ]
GLib has a udeb, so this needs a d-i ack (although I can't think of any
reason why the affected code would run in a d-i context).
diffstat for glib2.0-2.74.6 glib2.0-2.74.6
changelog | 8 +
patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch | 44 ++++++++++
patches/series | 1
3 files changed, 53 insertions(+)
diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/changelog 2024-11-14 09:42:34.000000000 +0000
@@ -1,3 +1,11 @@
+glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
+
+ Fix a buffer overflow when configured to use a SOCKS4a proxy with a
+ very long username (CVE-2024-52533, Closes: #1087419)
+
+
glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
[ Helmut Grohne ]
diff -Nru glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
--- glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.74.6/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch 2024-11-14 09:42:34.000000000 +0000
@@ -0,0 +1,44 @@
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+CVE-2024-52533
+
+Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
+Bug-Debian: https://bugs.debian.org/1087419
+Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118..b3146d0 100644
+--- a/gio/gsocks4aproxy.c
++++ b/gio/gsocks4aproxy.c
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+ * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- * 1 1 2 4 variable 1 variable
++ * 1 1 2 4 variable 1 variable 1
+ */
+-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8 *msg,
+ const gchar *hostname,
diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series
--- glib2.0-2.74.6/debian/patches/series 2024-10-28 08:41:03.000000000 +0000
+++ glib2.0-2.74.6/debian/patches/series 2024-11-14 09:42:34.000000000 +0000
@@ -43,3 +43,4 @@
CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch
CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
+gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch