https://ubuntu.com/security/notices/USN-6768-1
That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/05/07/5 Ubuntu has issued an advisory on May 9: https://ubuntu.com/security/notices/USN-6768-1 For Cauldron, the fix is: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039 Mageia 9 is also affected.
Status comment: (none) => Patches available from Ubuntu and upstreamCVE: (none) => CVE-2024-34397Source RPM: (none) => glib2.0-2.80.0-2.mga10.src.rpmWhiteboard: (none) => MGA9TOO
It also requires a regression fix for gnome-shell: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/50a011a19dcc6997ea6173c07bb80b2d9888d363
Fedora has issued advisories on May 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/ (glib2.0) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Y4LSO325A6663GVVF6D3BTV5MRFBCI3/ (gnome-shell)
See https://gitlab.gnome.org/GNOME/glib/-/issues/3268 Fixes Fixing this vulnerability requires multiple changes to GLib: Then follows a list of patch URLs: 1e648b67 "gdbusprivate: Add symbolic constants for the message bus itself" 8dfea560 "gdbusconnection: Move SignalData, SignalSubscriber higher up" 816da605 "gdbusconnection: Factor out signal_data_new_take()" 5d7ad689 "gdbusconnection: Factor out add_signal_data()" 7d21b719 "gdbusconnection: Factor out remove_signal_data_if_unused" 26a3fb85 "gdbusconnection: Stop storing sender_unique_name in SignalData" 683b14b9 "gdbus: Track name owners for signal subscriptions" d4b65376 "gdbusconnection: Don't deliver signals if the sender doesn't match" 7d65f6c5 "gdbusconnection: Allow name owners to have the syntax of a well-known name" (regression fix, see #3353 (closed); added in 2.80.2) The bug fix commits 10e9a917 "gdbusmessage: Cache the arg0 value" and 7b15b1db "gdbus-proxy test: Wait before asserting name owner has gone away" are not required to fix the vulnerability, but applying them in addition is recommended. When applying the vulnerability fix without those commits, GLib test failures were observed. When backporting to older stable release branches, a backport of g_set_str() will be required, for example 67052fed "gdbusconnection: Make a backport of g_set_str() available" in !4041 (closed). Fixing this vulnerability will trigger a regression in GNOME Shell's implementation of screen recording and screencasting, due to a pre-existing GNOME Shell bug. Applying commit gnome-shell@50a011a1 "screencast: Correct expected bus name for streams" to GNOME Shell fixes that regression. In distributions that ship GNOME Shell, it is recommended to make that change as part of the same security update that fixes the GLib vulnerability. --- I hope that is all...
Assignee: bugsquad => basesystem
SUSE has issued an advisory on May 29: https://lwn.net/Articles/975988/
Cauldron was fixed with glib2.0-2.80.3-1.mga10.src.rpm!
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)CC: (none) => geiger.david68210
Blocks: (none) => 33409
Suggested advisory: ======================== The updated packages fix a packaging issue and a security vulnerability: An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. (CVE-2024-34397) References: https://www.openwall.com/lists/oss-security/2024/05/07/5 https://ubuntu.com/security/notices/USN-6768-1 https://lwn.net/Articles/975988/ ======================== Updated packages in core/updates_testing: ======================== glib-gettextize-2.76.3-1.2.mga9 glib2.0-common-2.76.3-1.2.mga9 glib2.0-tests-2.76.3-1.2.mga9 lib(64)gio2.0_0-2.76.3-1.2.mga9 lib(64)glib2.0_0-2.76.3-1.2.mga9 lib(64)glib2.0-devel-2.76.3-1.2.mga9 lib(64)glib2.0-static-devel-2.76.3-1.2.mga9 from SRPM: glib2.0-2.76.3-1.2.mga9.src.rpm
Status comment: Patches available from Ubuntu and upstream => (none)Status: NEW => ASSIGNEDSource RPM: glib2.0-2.80.0-2.mga10.src.rpm => glib2.0-2.76.3-1.mga9.src.rpmAssignee: basesystem => qa-bugsBlocks: 33409 => (none)
Blocks: (none) => 33434
Keywords: (none) => advisory
RH x86_64 Tested in pack with bug#33409 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Nonfree 32bit Updates (distrib37)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing glib-gettextize-2.76.3-1.2.mga9.x86_64.rpm lib64gtk-gir3.0-3.24.38-1.1.mga9.x86_64.rpm gtk+2.0-2.24.33-5.1.mga9.x86_64.rpm gtk+3.0-3.24.38-1.1.mga9.x86_64.rpm glib2.0-common-2.76.3-1.2.mga9.x86_64.rpm lib64gtk-gir2.0-2.24.33-5.1.mga9.x86_64.rpm lib64gio2.0_0-2.76.3-1.2.mga9.x86_64.rpm lib64gtk+-x11-2.0_0-2.24.33-5.1.mga9.x86_64.rpm lib64gtk+2.0_0-2.24.33-5.1.mga9.x86_64.rpm lib64glib2.0_0-2.76.3-1.2.mga9.x86_64.rpm lib64gtk+3_0-3.24.38-1.1.mga9.x86_64.rpm gtk-update-icon-cache-3.24.38-1.1.mga9.x86_64.rpm lib64glib2.0-devel-2.76.3-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################### 1/13: lib64glib2.0_0 ################################################################################### 2/13: lib64gio2.0_0 ################################################################################### 3/13: glib2.0-common ################################################################################### 4/13: lib64gtk+2.0_0 ################################################################################### 5/13: gtk+2.0 ################################################################################### 6/13: lib64gtk+-x11-2.0_0 ################################################################################### 7/13: gtk-update-icon-cache ################################################################################### 8/13: lib64gtk+3_0 ################################################################################### 9/13: gtk+3.0 ################################################################################### 10/13: glib-gettextize ################################################################################### 11/13: lib64glib2.0-devel ################################################################################### 12/13: lib64gtk-gir3.0 ################################################################################### 13/13: lib64gtk-gir2.0 ################################################################################### 1/13: removing lib64gtk-gir2.0-2.24.33-5.mga9.x86_64 ################################################################################### 2/13: removing lib64gtk-gir3.0-3.24.38-1.mga9.x86_64 ################################################################################### 3/13: removing lib64gtk+-x11-2.0_0-2.24.33-5.mga9.x86_64 ################################################################################### 4/13: removing lib64glib2.0-devel-2.76.3-1.mga9.x86_64 ################################################################################### 5/13: removing gtk+3.0-3.24.38-1.mga9.x86_64 ################################################################################### 6/13: removing lib64gtk+3_0-3.24.38-1.mga9.x86_64 ################################################################################### 7/13: removing gtk+2.0-2.24.33-5.mga9.x86_64 ################################################################################### 8/13: removing glib-gettextize-2.76.3-1.mga9.x86_64 ################################################################################### 9/13: removing lib64gtk+2.0_0-2.24.33-5.mga9.x86_64 ################################################################################### 10/13: removing glib2.0-common-2.76.3-1.mga9.x86_64 ################################################################################### 11/13: removing lib64gio2.0_0-2.76.3-1.mga9.x86_64 ################################################################################### 12/13: removing gtk-update-icon-cache-3.24.38-1.mga9.x86_64 ################################################################################### 13/13: removing lib64glib2.0_0-2.76.3-1.mga9.x86_64 ################################################################################### pidgin already test in bug#33409 comment#6 wxwidgets depends on this libraries, test yt-dlg and videomass that uses python binding fro wxwidgets look like works strace audacity openat(AT_FDCWD, "/lib64/libgio-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libwx_baseu_xml-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3 Still start without issues no deep test
MGA9-64 Plasma, i5-7500,Nvidia Quatro K620 graphics. The following 3 packages are going to be installed: - glib2.0-common-2.76.3-1.2.mga9.x86_64 - lib64gio2.0_0-2.76.3-1.2.mga9.x86_64 - lib64glib2.0_0-2.76.3-1.2.mga9.x86_64 No installation issues. urpmq --whatrequires-recursive glib2.0-common gives me a list that is over 7200 packages long. Of course, many are duplicates, but still it's enough to see that glib is integral to the system. The advisory specifies an issue with Gnome-shell, and of course that is not used on this Plasma system. But, it also mentions Network Manager, and I do use that here. So, checking out the management of my connection, with and without an active openvpn VPN, no obvious issues were seen, and no issues were seen with Firefox, Thunderbird, or plasma-workspace, also on that lengthy urpmq list. Looks good here.
CC: (none) => andrewsfarm
MGA9-64 server Plasma Wayland on HP-Pavillion No installation issues. Rebooted and tried a whole list of programs, wifi , access to NFS-shares, all OK
CC: (none) => herman.viaene
VM x86_64 lxde Test in bug#33409 comment#7
Tested update of installed packages on all systems i tested kernel Bug 33574 Most mga-64, Plasma One mga-32, LXDE No regression noted.
CC: (none) => fri
gnome on wayland x86_64 updated: glib2.0-common-2.76.3-1.2.mga9.x86_64 lib64gio2.0_0-2.76.3-1.2.mga9.x86_64 lib64glib2.0_0-2.76.3-1.2.mga9.x86_64 rebooted to working Desktopp FF ok, .mp4 video (totem) sound and picture -ok Wifi ok MCC ok
CC: (none) => westel
Blocks: (none) => 33449
RH i586 rpm -qa|grep 2.76.3-1.2.mga9 libglib2.0_0-2.76.3-1.2.mga9 libgio2.0_0-2.76.3-1.2.mga9 glib2.0-common-2.76.3-1.2.mga9 pidgin works audacity starts
Install in Mga9 x86_64 Plasma Kde, without issues. rpm -qa|grep glib2.0 lib64glib2.0_0-2.76.3-1.2.mga9 glib2.0-common-2.76.3-1.2.mga9 lib64glib2.0-devel-2.76.3-1.2.mga9 Pidgin and audacity works fine. Reboot and sleep ok. Wifi, audio and video ok.
CC: (none) => joselp
glib2.0-common-2.76.3-1.2.mga9 installed system is "ALIVE ALIVE! IT's ALIVE!!!"
CC: (none) => brtians1
MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics. Tested in combination with the Gtk+ update. No installation issues, and no issues after a reboot. Looks good here. Lots of tests, no issues, time to let it go. Validating.
Whiteboard: (none) => MGA9-64-OK MGA9-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0311.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED