Ubuntu has issued an advisory on September 19: https://usn.ubuntu.com/3767-1/
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => cjw, guillomovitch, marja11, smelrorAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference. (CVE-2018-16428) GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str(). (CVE-2018-16429) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429 https://usn.ubuntu.com/3767-1/ ======================== Updated packages in core/updates_testing: ======================== glib2.0-common-2.54.3-1.2.mga6 lib(64)glib2.0_0-2.54.3-1.2.mga6 lib(64)gio2.0_0-2.54.3-1.2.mga6 lib(64)glib2.0-devel-2.54.3-1.2.mga6 lib(64)glib2.0-static-devel-2.54.3-1.2.mga6 glib-gettextize-2.54.3-1.2.mga6 from SRPMS: glib2.0-2.54.3-1.2.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2018-16428, CVE-2018-16429CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
Mageia 6, x86_64 Before update ------------- CVE-2018-16428 https://gitlab.gnome.org/GNOME/glib/issues/1364 This test is supposed to reproduce the bug and leads to a segfault. $ gcc -g -o test current_element.c `pkg-config --cflags --libs glib-2.0` $ ./test Segmentation fault (core dumped) CVE-2018-16429O Out of bounds read. https://gitlab.gnome.org/GNOME/glib/issues/1361 $ gcc -g -o test2 test2.c `pkg-config --cflags --libs glib-2.0` $ gcc -g -o test2 test.c `pkg-config --cflags --libs glib-2.0` $ ./test2 input Error: (null) Installed libasan2 and tried to compile - seemed to work. $ gcc -g -O0 -Llibasan2 -fomit-frame-pointer -o test3 test2.c `pkg-config --cflags --libs glib-2.0` The output was the same as with test2. No illumination from valgrind either. $ valgrind ./test3 input [...] Error: Error on line 1 char 16: Odd character '������', expected a '>' character to end the empty-element tag '<������������' [...] Updated cleanly. Afterwards ---------- Recompiled test programs. $ ./test $ Which is good. $ ./test2 input Error: (null) Which is not - implies something wrong with my implementation and/or interpretation of the test. $ hexdump input 0000000 3c3c d0d0 d0d0 d0d0 d0d0 d0d0 d0d0 f72f 0000010 Maybe this can be passed on the basis that one CVE is fixed, and take the other on faith (as we do). $ urpmq --whatrequires lib64glib2.0_0 | sort -u | wc -l 2210 Running strace picks up glib20 when atril and caja are run. open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory) Calibre also: open("/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 6 open("/usr/lib64/libdbus-glib-1.so.2.3.3", O_RDONLY) = 6 open("/usr/share/glib-2.0/schemas/gschemas.compiled", O_RDONLY) = 37 glib2 turns up everywhere; the fact that the test scripts still compile shall have to be sufficient vindication of the package.
CC: (none) => tarazed25
Created attachment 10406 [details] Test script for CVE-2018-16428
Created attachment 10407 [details] Test script for CVE-2018-16429 $ gcc -g -o test2 test2.c `pkg-config --cflags --libs glib-2.0`
Created attachment 10408 [details] Input data for test2.c
Whiteboard: (none) => MGA6-64-OK
Validating. Suggested advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0405.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED