768753 – (CVE-2021-27218, CVE-2021-27219, GHSL-2021-045) <dev-libs/glib-2.66.7: Integer overflow (CVE-2021-{27218,27219})

Bug 768753 (CVE-2021-27218, CVE-2021-27219, GHSL-2021-045) - <dev-libs/glib-2.66.7: Integer overflow (CVE-2021-{27218,27219})

Summary: <dev-libs/glib-2.66.7: Integer overflow (CVE-2021-{27218,27219})

Status:	RESOLVED FIXED

Alias:	CVE-2021-27218, CVE-2021-27219, GHSL-2021-045

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://gitlab.gnome.org/GNOME/glib/-...
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-05 03:54 UTC by Sam James
Modified:	2021-07-07 08:05 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-02-05 03:54:38 UTC

Description:
"The function g_bytes_new has an integer overflow due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to a memory corruption vulnerability."

leio's noticed some possible regressions in gnome-shell, gnome-keyring. See https://gitlab.gnome.org/GNOME/glib/-/issues/2305. So let's not rush to jump on 2.66.6 yet.

Comment 1 Larry the Git Cow gentoo-dev

2021-02-14 11:30:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1b64b25d3122534c974ce85a0319645a4a7fb86

commit a1b64b25d3122534c974ce85a0319645a4a7fb86
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-02-14 11:28:18 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-02-14 11:30:41 +0000

    dev-libs/glib: security bump to 2.66.7
    
    Bug: https://bugs.gentoo.org/768753
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 dev-libs/glib/Manifest           |   1 +
 dev-libs/glib/glib-2.66.7.ebuild | 290 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 291 insertions(+)

Comment 2 John Helmert III archtester

2021-02-14 18:48:39 UTC

Alright, please stabilize when ready.

Comment 3 NATTkA bot gentoo-dev

2021-02-14 18:52:57 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-libs/glib-2.66.7
>   bdepend amd64 dev profile default/linux/amd64/17.0/x32 (39 total)
>     >=dev-util/gtk-doc-1.33
>   bdepend amd64 stable profile default/linux/amd64/17.1 (65 total)
>     >=dev-util/gtk-doc-1.33
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
>   depend amd64 stable profile default/linux/amd64/17.1 (11 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-),abi_x86_64(-)]
>   depend amd64 dev profile default/linux/amd64/17.1/desktop/systemd (1 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-),abi_x86_64(-)]
>   depend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_64(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (11 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-),abi_x86_64(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.1/desktop/systemd (1 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-),abi_x86_64(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_64(-)]
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-)]
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-util/sysprof-capture-3.38:4[abi_x86_32(-)]

Comment 4 NATTkA bot gentoo-dev

2021-02-14 21:13:45 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-util/gtk-doc-1.33.1-r4
>   depend arm stable profile default/linux/arm/17.0 (32 total)
>     dev-python/parameterized[python_targets_python3_7(-)]
>     dev-python/parameterized[python_targets_python3_8(-)]
>     dev-python/parameterized[python_targets_python3_9(-)]
>   depend arm dev profile default/linux/arm/17.0/armv4 (37 total)
>     dev-python/parameterized[python_targets_python3_7(-)]
>     dev-python/parameterized[python_targets_python3_8(-)]
>     dev-python/parameterized[python_targets_python3_9(-)]

Comment 5 NATTkA bot gentoo-dev

2021-02-14 21:37:47 UTC

All sanity-check issues have been resolved

Comment 6 John Helmert III archtester

2021-02-15 20:58:07 UTC

CVE-2021-27218 was assigned for this (the upstream issue title seems wrong).

Comment 7 John Helmert III archtester

2021-02-15 22:13:12 UTC

(In reply to John Helmert III (ajak) from comment #6)
> CVE-2021-27218 was assigned for this (the upstream issue title seems wrong).

Well, maybe not wrong, but both CVEs are similar and appear to be covered by the stabilization in this bug.

Comment 8 Sam James archtester

2021-02-16 19:20:51 UTC

arm done

Comment 9 Rolf Eike Beer archtester

2021-02-16 20:14:34 UTC

sparc stable

Comment 10 Sam James archtester

2021-02-17 01:00:10 UTC

ppc64 done

Comment 11 Sam James archtester

2021-02-17 13:53:59 UTC

arm64 done

Comment 12 Sam James archtester

2021-02-17 14:21:28 UTC

x86 done

Comment 13 Rolf Eike Beer archtester

2021-02-17 15:54:04 UTC

hppa stable

Comment 14 Sam James archtester

2021-02-17 18:41:17 UTC

amd64 done

Comment 15 Sam James archtester

2021-02-17 18:42:05 UTC

amd64 done

Comment 16 Sam James archtester

2021-02-18 07:29:37 UTC

s390 done

Comment 17 Sam James archtester

2021-02-18 08:27:39 UTC

ppc done

all arches done

Comment 18 Larry the Git Cow gentoo-dev

2021-02-18 22:19:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61eae93378aeff7997d41ea3b9e4bdc09aa119b2

commit 61eae93378aeff7997d41ea3b9e4bdc09aa119b2
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-02-18 22:16:57 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-02-18 22:19:09 +0000

    dev-libs/glib: security cleanup
    
    Bug: https://bugs.gentoo.org/768753
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 dev-libs/glib/Manifest           |   5 -
 dev-libs/glib/glib-2.62.6.ebuild | 267 -----------------------------------
 dev-libs/glib/glib-2.64.5.ebuild | 281 -------------------------------------
 dev-libs/glib/glib-2.66.2.ebuild | 283 --------------------------------------
 dev-libs/glib/glib-2.66.3.ebuild | 283 --------------------------------------
 dev-libs/glib/glib-2.66.4.ebuild | 290 ---------------------------------------
 6 files changed, 1409 deletions(-)

Comment 19 John Helmert III archtester

2021-02-19 01:37:50 UTC

Thanks leio!

Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-24 01:50:22 UTC

New GLSA request filed.

Comment 21 GLSAMaker/CVETool Bot gentoo-dev

2021-07-07 08:05:47 UTC

This issue was resolved and addressed in
 GLSA 202107-13 at https://security.gentoo.org/glsa/202107-13
by GLSA coordinator Sam James (sam_c).