+++ This bug was initially created as a clone of Bug #28392 +++ Fedora has issued an advisory on February 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RKZC2OMFCXQTQDGIDS4JBWOWNQUAAOV2/ The update has already been in SVN but freeze pushes were ignored. Mageia 8 is therefore affected. Mageia 7 may be as well. Additionally, an issue fixed in 2.63.6 is discussed in this thread: https://www.openwall.com/lists/oss-security/2021/02/09/4 From tmb Comment on Bug 28392: > yep, I will run it for some days on my mga8 systems here to see if anything > breaks... seems debian got some trouble with atleast gnome-keyring and > dbus-x11... so we need to verify that those are not affected for us... > As for mga7 I'm not sure yet if we should try to fix all of these "security > issues" as they esentially change an "valid" api to behave differently as part > of locking down stuff for theoretical exploits... > mga7 has glib2.0 2.60 and mingw-glib2 2.58, so it can turn out to be "fun" to > backport the all fixes... and since our other packages in mga7 are old... > chances for them hitting more issues are bigger than mga8 that is somewhat uptodate...
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28392
Depends on: (none) => 28612CC: (none) => tmbSummary: glib2.0 new security issues fixed upstream in 2.66.6 => glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-28153)
CVE-2021-27218, CVE-2021-27219 are part of the initial report: https://ubuntu.com/security/notices/USN-4759-1 https://ubuntu.com/security/notices/USN-4764-1
Summary: glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-28153) => glib2.0 new security issues fixed upstream in 2.66.8 (including CVE-2021-2721[89] and CVE-2021-28153)
(In reply to David Walser from comment #1) > CVE-2021-27218, CVE-2021-27219 are part of the initial report: > https://ubuntu.com/security/notices/USN-4759-1 > https://ubuntu.com/security/notices/USN-4764-1 openSUSE has issued an advisory for those ones on March 14: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CEADQWIHFVNLBWNNAJUQIPQTZZU5U5A4/
(In reply to David Walser from comment #2) > (In reply to David Walser from comment #1) > > CVE-2021-27218, CVE-2021-27219 are part of the initial report: > > https://ubuntu.com/security/notices/USN-4759-1 > > https://ubuntu.com/security/notices/USN-4764-1 > > openSUSE has issued an advisory for those ones on March 14: > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > org/thread/CEADQWIHFVNLBWNNAJUQIPQTZZU5U5A4/ Actually that advisory covered both of those. RedHat has issued an advisory on May 31 for one of them: https://access.redhat.com/errata/RHSA-2021:2147
and another one today (June 1): https://access.redhat.com/errata/RHSA-2021:2170
CC: (none) => luigiwalser
Advisory: ======================== Updated glib2.0 packages fix security vulnerabilities: Krzesimir Nowak discovered that GLib incorrectly handled certain large buffers. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2021-27218). Kevin Backhouse discovered that GLib incorrectly handled certain memory allocations. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2021-27219). It was discovered that GLib incorrectly handled certain symlinks when replacing files. If a user or automated system were tricked into extracting a specially crafted file with File Roller, a remote attacker could possibly create files outside of the intended directory (CVE-2021-28153). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28153 https://ubuntu.com/security/notices/USN-4759-1 https://ubuntu.com/security/notices/USN-4764-1 ======================== Updated packages in core/updates_testing: ======================== glib2.0-common-2.60.2-1.5.mga7 libglib2.0_0-2.60.2-1.5.mga7 libgio2.0_0-2.60.2-1.5.mga7 libglib2.0-devel-2.60.2-1.5.mga7 libglib2.0-static-devel-2.60.2-1.5.mga7 glib-gettextize-2.60.2-1.5.mga7 from glib2.0-2.60.2-1.5.mga7.src.rpm
Assignee: olav => qa-bugsSeverity: normal => major
Tested PoC for CVE-2021-27219 from here: https://gitlab.gnome.org/GNOME/glib/-/issues/2319 Before: $ ./polkithelperabort $USER username: $USER password: total sent = 0 total sent = 10000000 total sent = 20000000 total sent = 30000000 total sent = 40000000 total sent = 50000000 total sent = 60000000 total sent = 70000000 total sent = 80000000 total sent = 90000000 total sent = a0000000 total sent = b0000000 total sent = c0000000 total sent = d0000000 total sent = e0000000 total sent = f0000000 PAM_PROMPT_ECHO_OFF Password: ** GLib-GIO:ERROR:../gio/gdbusmessage.c:2350:append_value_to_blob: assertion failed: (g_utf8_validate (v, -1, &end) && (end == v + len)) After: $ ./polkithelperabort $USER username: $USER password: total sent = 0 total sent = 10000000 total sent = 20000000 total sent = 30000000 total sent = 40000000 total sent = 50000000 total sent = 60000000 total sent = 70000000 total sent = 80000000 total sent = 90000000 total sent = a0000000 total sent = b0000000 total sent = c0000000 total sent = d0000000 total sent = e0000000 total sent = f0000000 PAM_PROMPT_ECHO_OFF Password: takes a while to finish and uses a LOT of memory, but no assertion failure, so it shows the issue is fixed. This is supposed to be a PoC for CVE-2021-28153: https://gitlab.gnome.org/GNOME/glib/-/issues/2325#note_1032763 But if I save that as poc2.c and compile that: gcc poc2.c -o poc2 $(pkg-config --cflags --libs glib-2.0 gobject-2.0 gio-2.0) and run it: $ ./poc2 ** ERROR:poc2.c:34:main: 'g_file_test (TARGET, G_FILE_TEST_EXISTS)' should be FALSE Aborted (core dumped) and the empty file bar exists, which my understand is it shouldn't, both before and after the update. Also, one of the patches includes a test case for this issue, and I got the package build (locally) to run the test suite, but I don't see the replace-symlink test getting run (on either mga7 or mga8), so I'm not sure what to make of this one. Could someone run the poc2 on Mageia 8 and tell us if it fails there as it did above? If it fails there, then probably the upstream fix didn't work or the PoC is wrong, but if it passes there then the Mageia 7 fix didn't work. Also, this mentions a regression with geeqie from the initial upstream fixes for the first two CVEs: https://gitlab.gnome.org/GNOME/glib/-/issues/2323 but geeqie runs fine before and after the update. So, we should be able to pass this update on, it's just a matter of determining the status of CVE-2021-28153.
@David i am on holiday right now, running mga8 on a netbook. If nobody else does it I shall try the poc later today - need to recharge.
CC: (none) => tarazed25
Downloaded the C code for poc2 and compiled according to recipe in comment 6. $ ./poc2 $ ls bar ls: cannot access 'bar': No such file or directory Looks OK for mga8. lib64glib2.0-devel-2.66.8-1.mga8 lib64glib2.0_0-2.66.8-1.mga8 lib64glib2.0-static-devel-2.66.8-1.mga8 glib2.0-common-2.66.8-1.mga8 glib-gettextize-2.66.8-1.mga8 HTH
Also, geeqie works fine here in mga8, at last. For the last 12 months it had not been working properly in mga7 and initially in mga8. The symptom was a rapid slow-down in rendering of successive images. I gave up using it but now it appears to be OK for mga8.
I forgot to say that foo and bar show up in /tmp, so check there.
No sign of bar in /tmp but there is a foo with a timestamp for the period of testing. Deleted foo and ran poc2 again - no bar but /tmp/foo reappears.
/tmp/foo is an ordinary file, 4 bytes in size.
OK, perhaps someone can confirm my failure on Mageia 7 then. If so, advisory is as follows. Advisory: ======================== Updated glib2.0 packages fix security vulnerabilities: Krzesimir Nowak discovered that GLib incorrectly handled certain large buffers. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2021-27218). Kevin Backhouse discovered that GLib incorrectly handled certain memory allocations. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2021-27219). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219 https://ubuntu.com/security/notices/USN-4759-1
Whiteboard: (none) => MGA7-64-OK
I could try to confirm it for mga7 when I get back but that would be a week after EOS.
(In reply to Len Lawrence from comment #14) > I could try to confirm it for mga7 when I get back but that would be a week > after EOS. You can, we will push already pending updates. Not new updates.
With the update installed, I get ... [dave@x3 tmp]$ strace -f -s 512 -ostrace.txt ./poc2 [dave@x3 tmp]$ grep /tmp strace.txt 6505 unlink("/tmp/foo") = -1 ENOENT (No such file or directory) 6505 unlink("/tmp/bar") = -1 ENOENT (No such file or directory) 6505 connect(5, {sa_family=AF_UNIX, sun_path=@"/tmp/dbus-tRaZBigWXM"}, 23) = 0 6505 symlink("/tmp/bar", "/tmp/foo" <unfinished ...> 6505 lstat("/tmp/foo", <unfinished ...> 6505 openat(AT_FDCWD, "/tmp/foo", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0666 <unfinished ...> 6505 openat(AT_FDCWD, "/tmp/foo", O_WRONLY|O_CREAT|O_NOFOLLOW, 0666 <unfinished ...> 6505 lstat("/tmp/foo", <unfinished ...> 6505 openat(AT_FDCWD, "/tmp/.goutputstream-PT0450", O_WRONLY|O_CREAT|O_EXCL, 0666) = 7 6505 rename("/tmp/.goutputstream-PT0450", "/tmp/foo") = 0 6505 stat("/tmp/foo", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 6505 access("/tmp/bar", F_OK) = -1 ENOENT (No such file or directory) And the file foo exists after running the poc2. No error message or abort. I'm not clear from the code whether that's the desired output or not.
CC: (none) => davidwhodgins
If /tmp/bar doesn't exist, that's what is desired, and we can use the full advisory from Comment 5.
Thanks. Validating the update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCVE: (none) => CVE-2021-2721[89] and CVE-2021-28153
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0318.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED