Bug 33198 - glib2.0 new security issue CVE-2024-34397
Summary: glib2.0 new security issue CVE-2024-34397
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Base system maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-13 14:14 CEST by Nicolas Salguero
Modified: 2024-06-15 11:35 CEST (History)
1 user (show)

See Also:
Source RPM: glib2.0-2.80.0-2.mga10.src.rpm
CVE: CVE-2024-34397
Status comment: Patches available from Ubuntu and upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-13 14:14:14 CEST 
https://ubuntu.com/security/notices/USN-6768-1
Comment 1 Nicolas Salguero 2024-05-13 14:16:49 CEST 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/05/07/5

Ubuntu has issued an advisory on May 9:
https://ubuntu.com/security/notices/USN-6768-1

For Cauldron, the fix is: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4039

Mageia 9 is also affected.

Status comment: (none) => Patches available from Ubuntu and upstream
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => glib2.0-2.80.0-2.mga10.src.rpm
CVE: (none) => CVE-2024-34397

Comment 2 Nicolas Salguero 2024-05-13 14:18:03 CEST 
It also requires a regression fix for gnome-shell: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/50a011a19dcc6997ea6173c07bb80b2d9888d363
Comment 4 Lewis Smith 2024-05-16 21:33:55 CEST 
See https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Fixes
Fixing this vulnerability requires multiple changes to GLib:
Then follows a list of patch URLs:
    1e648b67 "gdbusprivate: Add symbolic constants for the message bus itself"
    8dfea560 "gdbusconnection: Move SignalData, SignalSubscriber higher up"
    816da605 "gdbusconnection: Factor out signal_data_new_take()"
    5d7ad689 "gdbusconnection: Factor out add_signal_data()"
    7d21b719 "gdbusconnection: Factor out remove_signal_data_if_unused"
    26a3fb85 "gdbusconnection: Stop storing sender_unique_name in SignalData"
    683b14b9 "gdbus: Track name owners for signal subscriptions"
    d4b65376 "gdbusconnection: Don't deliver signals if the sender doesn't match"
    7d65f6c5 "gdbusconnection: Allow name owners to have the syntax of a well-known name" (regression fix, see #3353 (closed); added in 2.80.2)

The bug fix commits 10e9a917 "gdbusmessage: Cache the arg0 value" and 7b15b1db "gdbus-proxy test: Wait before asserting name owner has gone away" are not required to fix the vulnerability, but applying them in addition is recommended. When applying the vulnerability fix without those commits, GLib test failures were observed.

When backporting to older stable release branches, a backport of g_set_str() will be required, for example 67052fed "gdbusconnection: Make a backport of g_set_str() available" in !4041 (closed).

Fixing this vulnerability will trigger a regression in GNOME Shell's implementation of screen recording and screencasting, due to a pre-existing GNOME Shell bug. Applying commit gnome-shell@50a011a1 "screencast: Correct expected bus name for streams" to GNOME Shell fixes that regression. In distributions that ship GNOME Shell, it is recommended to make that change as part of the same security update that fixes the GLib vulnerability.
---
I hope that is all...

Assignee: bugsquad => basesystem

Comment 5 Nicolas Salguero 2024-05-31 10:15:12 CEST 
SUSE has issued an advisory on May 29:
https://lwn.net/Articles/975988/
Comment 6 David GEIGER 2024-06-15 11:35:27 CEST 
Cauldron was fixed with glib2.0-2.80.3-1.mga10.src.rpm!

Version: Cauldron => 9
CC: (none) => geiger.david68210
Whiteboard: MGA9TOO => (none)
Note You need to log in before you can comment on or make changes to this bug.