Bug 23665

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => cjw, guillomovitch, marja11, smelror
Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference. (CVE-2018-16428)

GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str(). (CVE-2018-16429)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429
https://usn.ubuntu.com/3767-1/
========================

Updated packages in core/updates_testing:
========================
glib2.0-common-2.54.3-1.2.mga6
lib(64)glib2.0_0-2.54.3-1.2.mga6
lib(64)gio2.0_0-2.54.3-1.2.mga6
lib(64)glib2.0-devel-2.54.3-1.2.mga6
lib(64)glib2.0-static-devel-2.54.3-1.2.mga6
glib-gettextize-2.54.3-1.2.mga6

from SRPMS:
glib2.0-2.54.3-1.2.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2018-16428, CVE-2018-16429
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Mageia 6, x86_64

Before update
-------------
CVE-2018-16428
https://gitlab.gnome.org/GNOME/glib/issues/1364
This test is supposed to reproduce the bug and leads to a segfault.
$ gcc -g -o test current_element.c `pkg-config --cflags --libs glib-2.0`
$ ./test
Segmentation fault (core dumped)

CVE-2018-16429O
Out of bounds read.
https://gitlab.gnome.org/GNOME/glib/issues/1361
$ gcc -g -o test2 test2.c `pkg-config --cflags --libs glib-2.0`

$ gcc -g -o test2 test.c `pkg-config --cflags --libs glib-2.0`
$ ./test2 input
Error: (null)
Installed libasan2 and tried to compile - seemed to work.
$ gcc -g -O0 -Llibasan2 -fomit-frame-pointer -o test3 test2.c `pkg-config --cflags --libs glib-2.0`
The output was the same as with test2.
No illumination from valgrind either.
$ valgrind ./test3 input
[...]
Error: Error on line 1 char 16: Odd character '������', expected a '>' character to end the empty-element tag '<������������'
[...]

Updated cleanly.
Afterwards
----------
Recompiled test programs.
$ ./test
$
Which is good.
$ ./test2 input
Error: (null)
Which is not - implies something wrong with my implementation and/or interpretation of the test.
$ hexdump input
0000000 3c3c d0d0 d0d0 d0d0 d0d0 d0d0 d0d0 f72f
0000010

Maybe this can be passed on the basis that one CVE is fixed, and take the other on faith (as we do).
$ urpmq --whatrequires lib64glib2.0_0 | sort -u | wc -l
2210

Running strace picks up glib20 when atril and caja are run.
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
Calibre also:
open("/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 6
open("/usr/lib64/libdbus-glib-1.so.2.3.3", O_RDONLY) = 6
open("/usr/share/glib-2.0/schemas/gschemas.compiled", O_RDONLY) = 37


glib2 turns up everywhere; the fact that the test scripts still compile shall have to be sufficient vindication of the package.

CC: (none) => tarazed25

Created attachment 10406 [details]
Test script for CVE-2018-16428

Created attachment 10407 [details]
Test script for CVE-2018-16429

$ gcc -g -o test2 test2.c `pkg-config --cflags --libs glib-2.0`

Created attachment 10408 [details]
Input data for test2.c

Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0405.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED