Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29499: (CVE-2023-29499) GVariant offset table entry size is not checked in is_normal() (#2794) · Issues · GNOME / GLib · GitLab

A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.

CVE
#dos#git

Splitting out from this comment in issue #2121:

Another one:

For type aay the normal form serialization of [[], [], [], …, []] with 128 zero-length arrays is b’\0\0\0…\0’ with 128 NUL characters. In Python this is:

>>> GLib.Variant("aay", [[]] * 128).get_data_as_bytes().get_data() == '\0' * 128

This works fine. The serialised data consists of 128 guint8 framing offsets, each 1B long, all with the value 0. So there are 128 instances of "ay".

Interestingly ‘\0’ * 256 is also [[]] * 128. This is because it consists of 128 guint16 framing offsets, each 2B long. So there are 128 instances of "ay". This is a valid representation of the data, but is not in normal form. The spec says:

When serialising, the proper framing offset size must be determined by “trial and error” — checking each size to determine if it will work. It is possible, since the size of the offsets is included in the size of the container, that having larger offsets might bump the size of the container up into the next category, which would then require larger offsets. Such containers, however, would not be considered to be in “normal form”. The smallest possible offset size must be used if the serialised data is to be in normal form.

The GLib GVariant implementation serializes correctly, but I think there is a bug in g_variant_is_normal_form. In Python:

>>> GLib.Variant.new_from_bytes(
...    GLib.VariantType.new("aay"),
...    GLib.Bytes.new(b'\0' * 256),
...    False).is_normal_form()
True

This is incorrect, it should be False.

Calling g_variant_get_normal_form doesn’t help

>>> len(GLib.Variant.new_from_bytes(
...     GLib.VariantType.new("aay"), GLib.Bytes.new(b'\0' * 256), 
...     False).get_normal_form().get_data_as_bytes().get_data())
256

I can confirm this is a bug and I have a fix underway.

Related news

Red Hat Security Advisory 2024-2528-03

Red Hat Security Advisory 2024-2528-03 - An update for mingw-glib2 is now available for Red Hat Enterprise Linux 9.

Gentoo Linux Security Advisory 202311-18

Gentoo Linux Security Advisory 202311-18 - Multiple vulnerabilities have been discovered in GLib. Versions greater than or equal to 2.74.4 are affected.

Ubuntu Security Notice USN-6165-2

Ubuntu Security Notice 6165-2 - USN-6165-1 fixed vulnerabilities in GLib. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that GLib incorrectly handled non-normal GVariants. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or perform other unknown attacks.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907