Bug 28520 - glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-2721[89] and CVE-2021-28153)
Summary: glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-2721...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on: 28612
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-04 14:51 CET by Aurelien Oudelet
Modified: 2021-07-09 00:44 CEST (History)
5 users (show)

See Also:
Source RPM: glib2.0-2.60.2-1.4.mga7.src.rpm
CVE: CVE-2021-2721[89] and CVE-2021-28153
Status comment:


Attachments

Description Aurelien Oudelet 2021-03-04 14:51:04 CET
+++ This bug was initially created as a clone of Bug #28392 +++

Fedora has issued an advisory on February 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RKZC2OMFCXQTQDGIDS4JBWOWNQUAAOV2/

The update has already been in SVN but freeze pushes were ignored.

Mageia 8 is therefore affected.  Mageia 7 may be as well.

Additionally, an issue fixed in 2.63.6 is discussed in this thread:
https://www.openwall.com/lists/oss-security/2021/02/09/4

From tmb Comment on Bug 28392:
> yep, I will run it for some days on my mga8 systems here to see if anything
> breaks... seems debian got some trouble with atleast gnome-keyring and
> dbus-x11... so we need to verify that those are not affected for us...

> As for mga7 I'm not sure yet if we should try to fix all of these "security
> issues" as they esentially change an "valid" api to behave differently as part
> of locking down stuff for theoretical exploits...

> mga7 has glib2.0 2.60 and mingw-glib2 2.58, so it can turn out to be "fun" to
> backport the all fixes... and since our other packages in mga7 are old...
> chances for them hitting more issues are bigger than mga8 that is somewhat uptodate...
Aurelien Oudelet 2021-03-04 15:11:10 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28392

David Walser 2021-03-18 20:59:56 CET

Depends on: (none) => 28612
CC: (none) => tmb
Summary: glib2.0 new security issues fixed upstream in 2.66.6 => glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-28153)

Comment 1 David Walser 2021-05-28 20:15:45 CEST
CVE-2021-27218, CVE-2021-27219 are part of the initial report:
https://ubuntu.com/security/notices/USN-4759-1
https://ubuntu.com/security/notices/USN-4764-1

Summary: glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-28153) => glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-2721[89] and CVE-2021-28153)

Comment 2 David Walser 2021-05-30 21:17:33 CEST
(In reply to David Walser from comment #1)
> CVE-2021-27218, CVE-2021-27219 are part of the initial report:
> https://ubuntu.com/security/notices/USN-4759-1
> https://ubuntu.com/security/notices/USN-4764-1

openSUSE has issued an advisory for those ones on March 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CEADQWIHFVNLBWNNAJUQIPQTZZU5U5A4/
Comment 3 David Walser 2021-06-01 15:45:00 CEST
(In reply to David Walser from comment #2)
> (In reply to David Walser from comment #1)
> > CVE-2021-27218, CVE-2021-27219 are part of the initial report:
> > https://ubuntu.com/security/notices/USN-4759-1
> > https://ubuntu.com/security/notices/USN-4764-1
> 
> openSUSE has issued an advisory for those ones on March 14:
> https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.
> org/thread/CEADQWIHFVNLBWNNAJUQIPQTZZU5U5A4/

Actually that advisory covered both of those.

RedHat has issued an advisory on May 31 for one of them:
https://access.redhat.com/errata/RHSA-2021:2147
Comment 4 David Walser 2021-06-01 22:07:31 CEST
and another one today (June 1):
https://access.redhat.com/errata/RHSA-2021:2170

CC: (none) => luigiwalser

Comment 5 David Walser 2021-06-28 16:19:50 CEST
Advisory:
========================

Updated glib2.0 packages fix security vulnerabilities:

Krzesimir Nowak discovered that GLib incorrectly handled certain large
buffers. A remote attacker could use this issue to cause applications linked
to GLib to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2021-27218).

Kevin Backhouse discovered that GLib incorrectly handled certain memory
allocations. A remote attacker could use this issue to cause applications
linked to GLib to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2021-27219).

It was discovered that GLib incorrectly handled certain symlinks when
replacing files. If a user or automated system were tricked into extracting a
specially crafted file with File Roller, a remote attacker could possibly
create files outside of the intended directory (CVE-2021-28153).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28153
https://ubuntu.com/security/notices/USN-4759-1
https://ubuntu.com/security/notices/USN-4764-1
========================

Updated packages in core/updates_testing:
========================
glib2.0-common-2.60.2-1.5.mga7
libglib2.0_0-2.60.2-1.5.mga7
libgio2.0_0-2.60.2-1.5.mga7
libglib2.0-devel-2.60.2-1.5.mga7
libglib2.0-static-devel-2.60.2-1.5.mga7
glib-gettextize-2.60.2-1.5.mga7

from glib2.0-2.60.2-1.5.mga7.src.rpm

Assignee: olav => qa-bugs
Severity: normal => major

Comment 6 David Walser 2021-06-30 23:37:39 CEST
Tested PoC for CVE-2021-27219 from here:
https://gitlab.gnome.org/GNOME/glib/-/issues/2319

Before:
$ ./polkithelperabort $USER
username: $USER
password: 
total sent = 0
total sent = 10000000
total sent = 20000000
total sent = 30000000
total sent = 40000000
total sent = 50000000
total sent = 60000000
total sent = 70000000
total sent = 80000000
total sent = 90000000
total sent = a0000000
total sent = b0000000
total sent = c0000000
total sent = d0000000
total sent = e0000000
total sent = f0000000
PAM_PROMPT_ECHO_OFF Password: 
**
GLib-GIO:ERROR:../gio/gdbusmessage.c:2350:append_value_to_blob: assertion failed: (g_utf8_validate (v, -1, &end) && (end == v + len))

After:
$ ./polkithelperabort $USER
username: $USER
password: 
total sent = 0
total sent = 10000000
total sent = 20000000
total sent = 30000000
total sent = 40000000
total sent = 50000000
total sent = 60000000
total sent = 70000000
total sent = 80000000
total sent = 90000000
total sent = a0000000
total sent = b0000000
total sent = c0000000
total sent = d0000000
total sent = e0000000
total sent = f0000000
PAM_PROMPT_ECHO_OFF Password:

takes a while to finish and uses a LOT of memory, but no assertion failure, so it shows the issue is fixed.

This is supposed to be a PoC for CVE-2021-28153:
https://gitlab.gnome.org/GNOME/glib/-/issues/2325#note_1032763

But if I save that as poc2.c and compile that:
gcc poc2.c -o poc2 $(pkg-config --cflags --libs glib-2.0 gobject-2.0 gio-2.0)

and run it:
$ ./poc2
**
ERROR:poc2.c:34:main: 'g_file_test (TARGET, G_FILE_TEST_EXISTS)' should be FALSE
Aborted (core dumped)

and the empty file bar exists, which my understand is it shouldn't, both before and after the update.  Also, one of the patches includes a test case for this issue, and I got the package build (locally) to run the test suite, but I don't see the replace-symlink test getting run (on either mga7 or mga8), so I'm not sure what to make of this one.

Could someone run the poc2 on Mageia 8 and tell us if it fails there as it did above?  If it fails there, then probably the upstream fix didn't work or the PoC is wrong, but if it passes there then the Mageia 7 fix didn't work.

Also, this mentions a regression with geeqie from the initial upstream fixes for the first two CVEs:
https://gitlab.gnome.org/GNOME/glib/-/issues/2323

but geeqie runs fine before and after the update.  So, we should be able to pass this update on, it's just a matter of determining the status of CVE-2021-28153.
Comment 7 Len Lawrence 2021-07-01 01:34:09 CEST
@David
i am on holiday right now, running mga8 on a netbook.  If nobody else does it I shall try the poc later today - need to recharge.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2021-07-01 08:58:39 CEST
Downloaded the C code for poc2 and compiled according to recipe in comment 6.
$ ./poc2
$ ls bar
ls: cannot access 'bar': No such file or directory

Looks OK for mga8.
lib64glib2.0-devel-2.66.8-1.mga8
lib64glib2.0_0-2.66.8-1.mga8
lib64glib2.0-static-devel-2.66.8-1.mga8
glib2.0-common-2.66.8-1.mga8
glib-gettextize-2.66.8-1.mga8

HTH
Comment 9 Len Lawrence 2021-07-01 09:09:29 CEST
Also, geeqie works fine here in mga8, at last.  For the last 12 months it had not been working properly in mga7 and initially in mga8.  The symptom was a rapid slow-down in rendering of successive images. I gave up using it but now it appears to be OK for mga8.
Comment 10 David Walser 2021-07-01 13:22:56 CEST
I forgot to say that foo and bar show up in /tmp, so check there.
Comment 11 Len Lawrence 2021-07-01 16:55:12 CEST
No sign of bar in /tmp but there is a foo with a timestamp for the period of testing.  Deleted foo and ran poc2 again - no bar but /tmp/foo reappears.
Comment 12 Len Lawrence 2021-07-01 16:57:38 CEST
/tmp/foo is an ordinary file, 4 bytes in size.
Comment 13 David Walser 2021-07-01 17:04:11 CEST
OK, perhaps someone can confirm my failure on Mageia 7 then.  If so, advisory is as follows.

Advisory:
========================

Updated glib2.0 packages fix security vulnerabilities:

Krzesimir Nowak discovered that GLib incorrectly handled certain large
buffers. A remote attacker could use this issue to cause applications linked
to GLib to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2021-27218).

Kevin Backhouse discovered that GLib incorrectly handled certain memory
allocations. A remote attacker could use this issue to cause applications
linked to GLib to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2021-27219).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219
https://ubuntu.com/security/notices/USN-4759-1

Whiteboard: (none) => MGA7-64-OK

Comment 14 Len Lawrence 2021-07-01 21:29:00 CEST
I could try to confirm it for mga7 when I get back but that would be a week after EOS.
Comment 15 Aurelien Oudelet 2021-07-01 21:31:20 CEST
(In reply to Len Lawrence from comment #14)
> I could try to confirm it for mga7 when I get back but that would be a week
> after EOS.

You can, we will push already pending updates. Not new updates.
Comment 16 Dave Hodgins 2021-07-06 00:23:45 CEST
With the update installed, I get ...
[dave@x3 tmp]$ strace -f -s 512 -ostrace.txt ./poc2
[dave@x3 tmp]$ grep /tmp strace.txt 
6505  unlink("/tmp/foo")                = -1 ENOENT (No such file or directory)
6505  unlink("/tmp/bar")                = -1 ENOENT (No such file or directory)
6505  connect(5, {sa_family=AF_UNIX, sun_path=@"/tmp/dbus-tRaZBigWXM"}, 23) = 0
6505  symlink("/tmp/bar", "/tmp/foo" <unfinished ...>
6505  lstat("/tmp/foo",  <unfinished ...>
6505  openat(AT_FDCWD, "/tmp/foo", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0666 <unfinished ...>
6505  openat(AT_FDCWD, "/tmp/foo", O_WRONLY|O_CREAT|O_NOFOLLOW, 0666 <unfinished ...>
6505  lstat("/tmp/foo",  <unfinished ...>
6505  openat(AT_FDCWD, "/tmp/.goutputstream-PT0450", O_WRONLY|O_CREAT|O_EXCL, 0666) = 7
6505  rename("/tmp/.goutputstream-PT0450", "/tmp/foo") = 0
6505  stat("/tmp/foo", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
6505  access("/tmp/bar", F_OK)          = -1 ENOENT (No such file or directory)

And the file foo exists after running the poc2. No error message or abort.

I'm not clear from the code whether that's the desired output or not.

CC: (none) => davidwhodgins

Comment 17 David Walser 2021-07-06 00:26:22 CEST
If /tmp/bar doesn't exist, that's what is desired, and we can use the full advisory from Comment 5.
Comment 18 Dave Hodgins 2021-07-06 03:29:43 CEST
Thanks. Validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Aurelien Oudelet 2021-07-08 22:27:32 CEST

Keywords: (none) => advisory
CVE: (none) => CVE-2021-2721[89] and CVE-2021-28153

Comment 19 Mageia Robot 2021-07-09 00:44:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0318.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.