Your message dated Sun, 17 Nov 2024 11:02:59 +0000
with message-id <[email protected]>
and subject line Bug#1087419: fixed in glib2.0 2.74.6-2+deb12u5
has caused the Debian Bug report #1087419,
regarding CVE-2024-52533: glib2.0: Buffer overflow in gsocks4aproxy 
set_connect_msg()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1087419: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087419
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libglib2.0-0
Version: 2.74.6-2+deb12u4
Severity: important
Tags: bookworm security upstream
X-Debbugs-Cc: [email protected], [email protected]

https://security-tracker.debian.org/tracker/CVE-2024-52533
> gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one
> error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not
> sufficient for a trailing '\0' character.

This was fixed upstream in 2.82.1, so trixie is unaffected.

A mitigation is that the relevant code path is (presumably) only used when
a client system is configured to connect via a SOCKS4a proxy, which appear
to be sufficiently rare that upstream were not able to test the change
against a real proxy server.

Does the security team intend to do a DSA for this, or is this being left
until the next 12.x stable update?

I believe Debian 11 is also vulnerable; LTS team cc'd for visibility.

The security-tracker page says:
> check if has impact on embedded copy in src:gobject-introspection

The answer to that is: no, the embedded copy in src:gobject-introspection
is only there to satisfy a particularly completionist interpretation
of the requirement to include source code, and is not actually compiled
or used.

    smcv

--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.74.6-2+deb12u5
Done: Simon McVittie <[email protected]>

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Nov 2024 09:42:34 +0000
Source: glib2.0
Architecture: source
Version: 2.74.6-2+deb12u5
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers 
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1087419
Changes:
 glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
 .
   * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch:
     Fix a buffer overflow when configured to use a SOCKS4a proxy with a
     very long username (CVE-2024-52533, Closes: #1087419)
Checksums-Sha1:
 3672de222b691b9c3c2e1a9021c4fe4160cccaab 3726 glib2.0_2.74.6-2+deb12u5.dsc
 9fb5f057c8cef9f8b54bde7e5eae418bd6775c42 140168 
glib2.0_2.74.6-2+deb12u5.debian.tar.xz
 ec97be699af1eba7e653a62fbae8c92a0bac0af5 7432 
glib2.0_2.74.6-2+deb12u5_source.buildinfo
Checksums-Sha256:
 d0b354438f0d095980eb22399f0155ce7e7e9ebb697106778cf72b5b90e809f6 3726 
glib2.0_2.74.6-2+deb12u5.dsc
 307d0004b2b732bca1752604285b423f26277bcfff4b78e0084112eee221ffba 140168 
glib2.0_2.74.6-2+deb12u5.debian.tar.xz
 20535fa936e6ad4ef78d6dfe6f35728bf5fb9aad3d81d82beb0bab5e4dbdea9f 7432 
glib2.0_2.74.6-2+deb12u5_source.buildinfo
Files:
 d52112cbbdc06426bb8c302c1defe89e 3726 libs optional 
glib2.0_2.74.6-2+deb12u5.dsc
 6e65c410bfe1c0f63733f2236a6d56ac 140168 libs optional 
glib2.0_2.74.6-2+deb12u5.debian.tar.xz
 3665456c0a2c9f87987f2e87cc812c94 7432 libs optional 
glib2.0_2.74.6-2+deb12u5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmc5BtQACgkQI1wJnT6z
MHYz1w//bygjKxm2+hLSG/BXKsJlRLos0hsIBQwp8WY+hsdLDily4JfOB5UQr1aG
RlbL6rMWzTqN/JgkciBhxUDenNAptutjIRyjFJcAF+UQkcSZVJ+smi5ZRDvrLs4l
CVqnlBwKYk0QtaKzWwLkDzDQNO/fBATCFEqF0Npyg3Pd6k1P4IFCv+yk9UgmKTne
hB9cNOIrXOyD9PxCP7/4ozvgOlM3rCRM4Iaa6tFMLDn2n/maJ63QPt6IA8dC7/po
Z9h5/MrlrhDLN1VBWSUtxVZKGiOi4A0UKZer3pwZAIPx1AoJhLw2z5VAVl0L5MYR
Kl8u14mw6o2UJODZtaRtAzxLkZ8DcFEAJ5bNxOhfnJ57634p3pAAmZ3tVpSizBje
BAKGqgkFCVO119zqfpM93OEddRDreLrmuHOgd4qu53cLiamQ+FuzU7cnCuN80TuK
Xha90InE7G+COSSedzit98gsFve/S2QSHT2Gb4BapsUbY2WHGym9ZeL9mKeLUdDB
CYByNhd4VmwFAp35z+4CY4d4gLYG6t2wJiuyWxzYMqlgWlISgzlGI1wt2Gef+r16
bl9DznRW7THFxeoyHHHlBXdKnnvpoAc9PUHJ26+DPOce8smCcgA2ffZof70S0wcG
+sv9N9wSzT6JBMRE6RgUOlT/xFh546POTXAu0cC7X5sKNzINzHw=
=rixe
-----END PGP SIGNATURE-----

Attachment: pgpmxG5UtyFKi.pgp
Description: PGP signature


--- End Message ---

Reply via email to