Bug 33198 - glib2.0 new security issue CVE-2024-34397
Summary: glib2.0 new security issue CVE-2024-34397
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 33409 33434 33449
  Show dependency treegraph
 
Reported: 2024-05-13 14:14 CEST by Nicolas Salguero
Modified: 2024-09-25 20:09 CEST (History)
8 users (show)

See Also:
Source RPM: glib2.0-2.76.3-1.mga9.src.rpm
CVE: CVE-2024-34397
Status comment:


Attachments

Description Nicolas Salguero 2024-05-13 14:14:14 CEST
https://ubuntu.com/security/notices/USN-6768-1
Comment 1 Nicolas Salguero 2024-05-13 14:16:49 CEST
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/05/07/5

Ubuntu has issued an advisory on May 9:
https://ubuntu.com/security/notices/USN-6768-1

For Cauldron, the fix is: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039

Mageia 9 is also affected.

Status comment: (none) => Patches available from Ubuntu and upstream
CVE: (none) => CVE-2024-34397
Source RPM: (none) => glib2.0-2.80.0-2.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 2 Nicolas Salguero 2024-05-13 14:18:03 CEST
It also requires a regression fix for gnome-shell: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/50a011a19dcc6997ea6173c07bb80b2d9888d363
Comment 4 Lewis Smith 2024-05-16 21:33:55 CEST
See https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Fixes
Fixing this vulnerability requires multiple changes to GLib:
Then follows a list of patch URLs:
    1e648b67 "gdbusprivate: Add symbolic constants for the message bus itself"
    8dfea560 "gdbusconnection: Move SignalData, SignalSubscriber higher up"
    816da605 "gdbusconnection: Factor out signal_data_new_take()"
    5d7ad689 "gdbusconnection: Factor out add_signal_data()"
    7d21b719 "gdbusconnection: Factor out remove_signal_data_if_unused"
    26a3fb85 "gdbusconnection: Stop storing sender_unique_name in SignalData"
    683b14b9 "gdbus: Track name owners for signal subscriptions"
    d4b65376 "gdbusconnection: Don't deliver signals if the sender doesn't match"
    7d65f6c5 "gdbusconnection: Allow name owners to have the syntax of a well-known name" (regression fix, see #3353 (closed); added in 2.80.2)

The bug fix commits 10e9a917 "gdbusmessage: Cache the arg0 value" and 7b15b1db "gdbus-proxy test: Wait before asserting name owner has gone away" are not required to fix the vulnerability, but applying them in addition is recommended. When applying the vulnerability fix without those commits, GLib test failures were observed.

When backporting to older stable release branches, a backport of g_set_str() will be required, for example 67052fed "gdbusconnection: Make a backport of g_set_str() available" in !4041 (closed).

Fixing this vulnerability will trigger a regression in GNOME Shell's implementation of screen recording and screencasting, due to a pre-existing GNOME Shell bug. Applying commit gnome-shell@50a011a1 "screencast: Correct expected bus name for streams" to GNOME Shell fixes that regression. In distributions that ship GNOME Shell, it is recommended to make that change as part of the same security update that fixes the GLib vulnerability.
---
I hope that is all...

Assignee: bugsquad => basesystem

Comment 5 Nicolas Salguero 2024-05-31 10:15:12 CEST
SUSE has issued an advisory on May 29:
https://lwn.net/Articles/975988/
Comment 6 David GEIGER 2024-06-15 11:35:27 CEST
Cauldron was fixed with glib2.0-2.80.3-1.mga10.src.rpm!

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
CC: (none) => geiger.david68210

Nicolas Salguero 2024-09-18 15:12:01 CEST

Blocks: (none) => 33409

Comment 7 Nicolas Salguero 2024-09-18 15:15:20 CEST
Suggested advisory:
========================

The updated packages fix a packaging issue and a security vulnerability:

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. (CVE-2024-34397)

References:
https://www.openwall.com/lists/oss-security/2024/05/07/5
https://ubuntu.com/security/notices/USN-6768-1
https://lwn.net/Articles/975988/
========================

Updated packages in core/updates_testing:
========================
glib-gettextize-2.76.3-1.2.mga9
glib2.0-common-2.76.3-1.2.mga9
glib2.0-tests-2.76.3-1.2.mga9
lib(64)gio2.0_0-2.76.3-1.2.mga9
lib(64)glib2.0_0-2.76.3-1.2.mga9
lib(64)glib2.0-devel-2.76.3-1.2.mga9
lib(64)glib2.0-static-devel-2.76.3-1.2.mga9

from SRPM:
glib2.0-2.76.3-1.2.mga9.src.rpm

Status comment: Patches available from Ubuntu and upstream => (none)
Status: NEW => ASSIGNED
Source RPM: glib2.0-2.80.0-2.mga10.src.rpm => glib2.0-2.76.3-1.mga9.src.rpm
Assignee: basesystem => qa-bugs
Blocks: 33409 => (none)

Nicolas Salguero 2024-09-18 15:15:44 CEST

Blocks: (none) => 33409

Nicolas Salguero 2024-09-18 15:19:11 CEST

Blocks: (none) => 33434

katnatek 2024-09-18 19:06:00 CEST

Keywords: (none) => advisory

Comment 8 katnatek 2024-09-21 01:39:30 CEST
RH x86_64 

Tested in pack with bug#33409

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing glib-gettextize-2.76.3-1.2.mga9.x86_64.rpm lib64gtk-gir3.0-3.24.38-1.1.mga9.x86_64.rpm gtk+2.0-2.24.33-5.1.mga9.x86_64.rpm gtk+3.0-3.24.38-1.1.mga9.x86_64.rpm glib2.0-common-2.76.3-1.2.mga9.x86_64.rpm lib64gtk-gir2.0-2.24.33-5.1.mga9.x86_64.rpm lib64gio2.0_0-2.76.3-1.2.mga9.x86_64.rpm lib64gtk+-x11-2.0_0-2.24.33-5.1.mga9.x86_64.rpm lib64gtk+2.0_0-2.24.33-5.1.mga9.x86_64.rpm lib64glib2.0_0-2.76.3-1.2.mga9.x86_64.rpm lib64gtk+3_0-3.24.38-1.1.mga9.x86_64.rpm gtk-update-icon-cache-3.24.38-1.1.mga9.x86_64.rpm lib64glib2.0-devel-2.76.3-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################
     1/13: lib64glib2.0_0        ###################################################################################
     2/13: lib64gio2.0_0         ###################################################################################
     3/13: glib2.0-common        ###################################################################################
     4/13: lib64gtk+2.0_0        ###################################################################################
     5/13: gtk+2.0               ###################################################################################
     6/13: lib64gtk+-x11-2.0_0   ###################################################################################
     7/13: gtk-update-icon-cache ###################################################################################
     8/13: lib64gtk+3_0          ###################################################################################
     9/13: gtk+3.0               ###################################################################################
    10/13: glib-gettextize       ###################################################################################
    11/13: lib64glib2.0-devel    ###################################################################################
    12/13: lib64gtk-gir3.0       ###################################################################################
    13/13: lib64gtk-gir2.0       ###################################################################################
     1/13: removing lib64gtk-gir2.0-2.24.33-5.mga9.x86_64
                                 ###################################################################################
     2/13: removing lib64gtk-gir3.0-3.24.38-1.mga9.x86_64
                                 ###################################################################################
     3/13: removing lib64gtk+-x11-2.0_0-2.24.33-5.mga9.x86_64
                                 ###################################################################################
     4/13: removing lib64glib2.0-devel-2.76.3-1.mga9.x86_64
                                 ###################################################################################
     5/13: removing gtk+3.0-3.24.38-1.mga9.x86_64
                                 ###################################################################################
     6/13: removing lib64gtk+3_0-3.24.38-1.mga9.x86_64
                                 ###################################################################################
     7/13: removing gtk+2.0-2.24.33-5.mga9.x86_64
                                 ###################################################################################
     8/13: removing glib-gettextize-2.76.3-1.mga9.x86_64
                                 ###################################################################################
     9/13: removing lib64gtk+2.0_0-2.24.33-5.mga9.x86_64
                                 ###################################################################################
    10/13: removing glib2.0-common-2.76.3-1.mga9.x86_64
                                 ###################################################################################
    11/13: removing lib64gio2.0_0-2.76.3-1.mga9.x86_64
                                 ###################################################################################
    12/13: removing gtk-update-icon-cache-3.24.38-1.mga9.x86_64
                                 ###################################################################################
    13/13: removing lib64glib2.0_0-2.76.3-1.mga9.x86_64
                                 ###################################################################################

pidgin already test in bug#33409 comment#6
wxwidgets depends on this libraries, test yt-dlg and videomass that uses python binding fro wxwidgets look like works

strace audacity
openat(AT_FDCWD, "/lib64/libgio-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_baseu_xml-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3

Still start without issues no deep test
Comment 9 Thomas Andrews 2024-09-22 02:26:32 CEST
MGA9-64 Plasma, i5-7500,Nvidia Quatro K620 graphics.

The following 3 packages are going to be installed:

- glib2.0-common-2.76.3-1.2.mga9.x86_64
- lib64gio2.0_0-2.76.3-1.2.mga9.x86_64
- lib64glib2.0_0-2.76.3-1.2.mga9.x86_64

No installation issues. urpmq --whatrequires-recursive glib2.0-common gives me a list that is over 7200 packages long. Of course, many are duplicates, but still it's enough to see that glib is integral to the system. 

The advisory specifies an issue with Gnome-shell, and of course that is not used on this Plasma system. But, it also mentions Network Manager, and I do use that here.

So, checking out the management of my connection, with and without an active openvpn VPN, no obvious issues were seen, and no issues were seen with Firefox, Thunderbird, or plasma-workspace, also on that lengthy urpmq list.

Looks good here.

CC: (none) => andrewsfarm

Comment 10 Herman Viaene 2024-09-22 11:42:10 CEST
MGA9-64 server Plasma Wayland on HP-Pavillion
No installation issues.
Rebooted and tried a whole list of programs, wifi , access to NFS-shares, all OK

CC: (none) => herman.viaene

Comment 11 katnatek 2024-09-22 19:31:52 CEST
VM x86_64 lxde
Test in bug#33409 comment#7
Comment 12 Morgan Leijström 2024-09-22 21:28:36 CEST
Tested update of installed packages on all systems i tested kernel Bug 33574 
Most mga-64, Plasma
One mga-32, LXDE
No regression noted.

CC: (none) => fri

Comment 13 Ben McMonagle 2024-09-23 01:59:15 CEST
gnome on wayland x86_64

updated:

glib2.0-common-2.76.3-1.2.mga9.x86_64
lib64gio2.0_0-2.76.3-1.2.mga9.x86_64
lib64glib2.0_0-2.76.3-1.2.mga9.x86_64

rebooted to working Desktopp

FF ok,

.mp4 video (totem) sound and picture -ok
Wifi ok
MCC ok

CC: (none) => westel

katnatek 2024-09-23 19:42:04 CEST

Blocks: (none) => 33449

Comment 14 katnatek 2024-09-24 04:17:50 CEST
RH i586 

rpm -qa|grep 2.76.3-1.2.mga9
libglib2.0_0-2.76.3-1.2.mga9
libgio2.0_0-2.76.3-1.2.mga9
glib2.0-common-2.76.3-1.2.mga9

pidgin works
audacity starts
Comment 15 Jose Manuel López 2024-09-24 08:27:11 CEST
Install in Mga9 x86_64 Plasma Kde, without issues.

rpm -qa|grep glib2.0
lib64glib2.0_0-2.76.3-1.2.mga9
glib2.0-common-2.76.3-1.2.mga9
lib64glib2.0-devel-2.76.3-1.2.mga9


Pidgin and audacity works fine.
Reboot and sleep ok.
Wifi, audio and video ok.

CC: (none) => joselp

Comment 16 Brian Rockwell 2024-09-25 15:49:10 CEST
glib2.0-common-2.76.3-1.2.mga9 installed

system is "ALIVE ALIVE!  IT's ALIVE!!!"

CC: (none) => brtians1

Comment 17 Thomas Andrews 2024-09-25 17:21:16 CEST
MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics. Tested in combination with the Gtk+ update.

No installation issues, and no issues after a reboot. Looks good here.

Lots of tests, no issues, time to let it go.

Validating.

Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2024-09-25 20:09:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0311.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.