packages/glib2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!16 fix CVE-2021-27218

Browse Source 
From: @jinzhimin369
Reviewed-by: @compile_success,@yanan-rock
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2021-03-03 09:15:24 +08:00 committed by Gitee
commit 6f63420c41
2 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backport-CVE-2021-27218.patch Normal file
View File

@ -0,0 +1,60 @@
From acb7b0ec69f26a7df10af3992359890b09f076e8 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <qdlacz@gmail.com>
Date: Wed, 10 Feb 2021 23:51:07 +0100
Subject: [PATCH] gbytearray: Do not accept too large byte arrays
GByteArray uses guint for storing the length of the byte array, but it
also has a constructor (g_byte_array_new_take) that takes length as a
gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
for guint). It is possible to call the function with a value greater
than G_MAXUINT, which will result in silent length truncation. This
may happen as a result of unreffing GBytes into GByteArray, so rather
be loud about it.
(Test case tweaked by Philip Withnall.)
---
glib/garray.c | 6 ++++++
glib/gbytes.c | 4 ++++
2 files changed, 10 insertions(+)
diff --git a/glib/garray.c b/glib/garray.c
index de720210c..2b66f16a6 100644
--- a/glib/garray.c
+++ b/glib/garray.c
@@ -2261,6 +2261,10 @@ g_byte_array_steal (GByteArray *array,
* Create byte array containing the data. The data will be owned by the array
* and will be freed with g_free(), i.e. it could be allocated using g_strdup().
*
+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
+ * stores the length of its data in #guint, which may be shorter than
+ * #gsize.
+ *
* Since: 2.32
*
* Returns: (transfer full): a new #GByteArray
@@ -2272,6 +2276,8 @@ g_byte_array_new_take (guint8 *data,
GByteArray *array;
GRealArray *real;
+ g_return_val_if_fail (len <= G_MAXUINT, NULL);
+
array = g_byte_array_new ();
real = (GRealArray *)array;
g_assert (real->data == NULL);
diff --git a/glib/gbytes.c b/glib/gbytes.c
index 00fd79155..aaadf451b 100644
--- a/glib/gbytes.c
+++ b/glib/gbytes.c
@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
* g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
* other cases the data is copied.
*
+ * Do not use it if @bytes contains more than %G_MAXUINT
+ * bytes. #GByteArray stores the length of its data in #guint, which
+ * may be shorter than #gsize, that @bytes is using.
+ *
* Returns: (transfer full): a new mutable #GByteArray containing the same byte data
*
* Since: 2.32
--
GitLab

9
glib2.spec
View File

@ -1,6 +1,6 @@
Name: glib2
Version: 2.62.5
Release: 2
Release: 3
Summary: The core library that forms the basis for projects such as GTK+ and GNOME
License: LGPLv2+
URL: http://www.gtk.org
@ -8,6 +8,7 @@ Source0: http://download.gnome.org/sources/glib/2.62/glib-%{version}.tar.
Patch9001: fix-accidentally-delete-temp-file-within-dtrace.patch
Patch6000: backport-CVE-2020-35457.patch
Patch6001: backport-CVE-2021-27218.patch
BuildRequires: chrpath gcc gcc-c++ gettext gtk-doc perl-interpreter
BUildRequires: glibc-devel libattr-devel libselinux-devel meson
@ -144,6 +145,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%doc %{_datadir}/gtk-doc/html/*
%changelog
* Mon Mar 1 2021 jinzhimin<jinzhimin2@huawei.com> - 2.62.5-3
- Type:cve
- Id:CVE-2021-27218
- SUG:NA
- DESC:fix CVE-2021-27218
* Sat Feb 27 2021 zhujunhao<zhujunhao8@huawei.com> - 2.62.5-2
- Type:cve
- Id:CVE-2020-35457