Bug 33198

Summary:	glib2.0 new security issue CVE-2024-34397
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	Base system maintainers <basesystem>
Status:	NEW ---	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	geiger.david68210
Version:	9
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	glib2.0-2.80.0-2.mga10.src.rpm	CVE:	CVE-2024-34397
Status comment:	Patches available from Ubuntu and upstream

Description Nicolas Salguero 2024-05-13 14:14:14 CEST

https://ubuntu.com/security/notices/USN-6768-1

Comment 1 Nicolas Salguero 2024-05-13 14:16:49 CEST

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/05/07/5

Ubuntu has issued an advisory on May 9:
https://ubuntu.com/security/notices/USN-6768-1

For Cauldron, the fix is: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039

Mageia 9 is also affected.

Status comment: (none) => Patches available from Ubuntu and upstream
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => glib2.0-2.80.0-2.mga10.src.rpm
CVE: (none) => CVE-2024-34397

Comment 2 Nicolas Salguero 2024-05-13 14:18:03 CEST

It also requires a regression fix for gnome-shell: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/50a011a19dcc6997ea6173c07bb80b2d9888d363

Comment 3 Nicolas Salguero 2024-05-13 15:25:09 CEST

Fedora has issued advisories on May 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/ (glib2.0)
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Y4LSO325A6663GVVF6D3BTV5MRFBCI3/ (gnome-shell)

Comment 4 Lewis Smith 2024-05-16 21:33:55 CEST

See https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Fixes
Fixing this vulnerability requires multiple changes to GLib:
Then follows a list of patch URLs:
    1e648b67 "gdbusprivate: Add symbolic constants for the message bus itself"
    8dfea560 "gdbusconnection: Move SignalData, SignalSubscriber higher up"
    816da605 "gdbusconnection: Factor out signal_data_new_take()"
    5d7ad689 "gdbusconnection: Factor out add_signal_data()"
    7d21b719 "gdbusconnection: Factor out remove_signal_data_if_unused"
    26a3fb85 "gdbusconnection: Stop storing sender_unique_name in SignalData"
    683b14b9 "gdbus: Track name owners for signal subscriptions"
    d4b65376 "gdbusconnection: Don't deliver signals if the sender doesn't match"
    7d65f6c5 "gdbusconnection: Allow name owners to have the syntax of a well-known name" (regression fix, see #3353 (closed); added in 2.80.2)

The bug fix commits 10e9a917 "gdbusmessage: Cache the arg0 value" and 7b15b1db "gdbus-proxy test: Wait before asserting name owner has gone away" are not required to fix the vulnerability, but applying them in addition is recommended. When applying the vulnerability fix without those commits, GLib test failures were observed.

When backporting to older stable release branches, a backport of g_set_str() will be required, for example 67052fed "gdbusconnection: Make a backport of g_set_str() available" in !4041 (closed).

Fixing this vulnerability will trigger a regression in GNOME Shell's implementation of screen recording and screencasting, due to a pre-existing GNOME Shell bug. Applying commit gnome-shell@50a011a1 "screencast: Correct expected bus name for streams" to GNOME Shell fixes that regression. In distributions that ship GNOME Shell, it is recommended to make that change as part of the same security update that fixes the GLib vulnerability.
---
I hope that is all...

Assignee: bugsquad => basesystem

Comment 5 Nicolas Salguero 2024-05-31 10:15:12 CEST

SUSE has issued an advisory on May 29:
https://lwn.net/Articles/975988/

Comment 6 David GEIGER 2024-06-15 11:35:27 CEST

Cauldron was fixed with glib2.0-2.80.3-1.mga10.src.rpm!

Version: Cauldron => 9
CC: (none) => geiger.david68210
Whiteboard: MGA9TOO => (none)