| Summary: | dev-libs/glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | gnome |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1687805 | ||
| Whiteboard: | A3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
Sorry, what bump? Is 2.56 or 2.58 even affected when it cites regressions from Happy Eyeballs work, which mostly happened in 2.59 I'd be inclined to close this as INVALID. Not in the tree and it is in development still. |
From ${URL} : gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany). Upstream patch: https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e Upstream issue: https://gitlab.gnome.org/GNOME/glib/issues/1649 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.