Bug 31805 - glib2.0 new security issues CVE-2023-24593 and CVE-2023-25180
Summary: glib2.0 new security issues CVE-2023-24593 and CVE-2023-25180
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
: 32034 (view as bug list)
Depends on:
Blocks:
 
Reported: 2023-04-17 15:25 CEST by David Walser
Modified: 2023-07-09 19:54 CEST (History)
6 users (show)

See Also:
Source RPM: glib2.0-2.66.8-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-04-17 15:25:49 CEST
Fedora has issued an advisory on April 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FRPEEZJKIVRRCTBOO42O6IY44O5UU3MT/

Mageia 8 is also affected.
David Walser 2023-04-17 15:26:04 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-04-17 20:49:19 CEST
Unsure where to push this, so doing so glabally.
CC'ing tv who did a fix some months ago.

Assignee: bugsquad => pkg-bugs
CC: (none) => thierry.vignaud

Comment 2 Nicolas Salguero 2023-04-18 10:29:15 CEST
Hi,

By following the link given in comment 0, I found that link:
https://bugzilla.redhat.com/show_bug.cgi?id=2181192
which gives that link:
https://bugzilla.redhat.com/show_bug.cgi?id=2181183
which gives that link:
https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835
which gives that link:
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
which gives that link:
https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf
which says the commit was added in version 2.74.4.

So Cauldron is not affected by that CVE.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Source RPM: glib2.0-2.74.5-3.mga9.src.rpm => glib2.0-2.66.8-1.mga8.src.rpm

Comment 3 David Walser 2023-04-20 17:09:42 CEST
SUSE has issued an advisory on April 19:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014499.html

It fixes this issue and one new one, which will need to be checked against Cauldron.

Version: 8 => Cauldron
Summary: glib2.0 new security issue CVE-2023-24593 => glib2.0 new security issues CVE-2023-24593 and CVE-2023-25180
Status comment: Patch available from Fedora => Patches available from Fedora and SUSE
Whiteboard: (none) => MGA8TOO

Comment 4 Nicolas Salguero 2023-04-21 10:46:24 CEST
Hi,

That new CVE also refers to:
https://bugzilla.redhat.com/show_bug.cgi?id=2181182

It is also fixed by the same commit so Cauldron is not affected by that CVE.

Best regards,

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 5 Nicolas Salguero 2023-05-11 14:37:56 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Denial of service caused by handling a malicious text-form variant. (CVE-2023-24593)

Denial of service caused by malicious serialised variant. (CVE-2023-25180)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25180
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FRPEEZJKIVRRCTBOO42O6IY44O5UU3MT/
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014499.html
========================

Updated packages in core/updates_testing:
========================
glib2.0-common-2.66.8-1.1.mga8
glib2.0-tests-2.66.8-1.1.mga8
glib-gettextize-2.66.8-1.1.mga8
lib(64)gio2.0_0-2.66.8-1.1.mga8
lib(64)glib2.0_0-2.66.8-1.1.mga8
lib(64)glib2.0-devel-2.66.8-1.1.mga8
lib(64)glib2.0-static-devel-2.66.8-1.1.mga8

from SRPM:
glib2.0-2.66.8-1.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from Fedora and SUSE => (none)
Status: NEW => ASSIGNED

Comment 6 Herman Viaene 2023-05-17 11:24:16 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 28612 for testing:
symlink.tar file contains only a symlink, no "real" file. Extracting it results in the link appearing pointing to /tmp/moo which does not exist.
So works as expected.
Tried zenity, 
$ identify 19761105TrouwLodeNoella/D053.jpg 
19761105TrouwLodeNoella/D053.jpg JPEG 1656x988 1656x988+0+0 8-bit sRGB 125813B 0.000u 0:00.002
played mpg file with parole, all works OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2023-05-17 13:52:30 CEST
Validating. Advisory in comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 02:51:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-05-21 10:44:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0176.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2023-06-20 15:12:12 CEST
This update also fixed:
    CVE-2023-29499
    CVE-2023-32611
    CVE-2023-32665
https://ubuntu.com/security/notices/USN-6165-1
Comment 10 David Walser 2023-07-09 19:54:09 CEST
*** Bug 32034 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.