fix CVE-2021-27218

2021-03-01 17:28:42 +08:00 · 2021-03-01 17:28:42 +08:00 · 7e3bea5eaa
commit 7e3bea5eaa
parent 84285a4984
2 changed files with 68 additions and 1 deletions
--- a/backport-CVE-2021-27218.patch
+++ b/backport-CVE-2021-27218.patch
@ -0,0 +1,60 @@
+From acb7b0ec69f26a7df10af3992359890b09f076e8 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <qdlacz@gmail.com>
+Date: Wed, 10 Feb 2021 23:51:07 +0100
+Subject: [PATCH] gbytearray: Do not accept too large byte arrays
+
+GByteArray uses guint for storing the length of the byte array, but it
+also has a constructor (g_byte_array_new_take) that takes length as a
+gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
+for guint). It is possible to call the function with a value greater
+than G_MAXUINT, which will result in silent length truncation. This
+may happen as a result of unreffing GBytes into GByteArray, so rather
+be loud about it.
+
+(Test case tweaked by Philip Withnall.)
+---
+ glib/garray.c      |  6 ++++++
+ glib/gbytes.c      |  4 ++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/glib/garray.c b/glib/garray.c
+index de720210c..2b66f16a6 100644
+--- a/glib/garray.c
+++ b/glib/garray.c
+@@ -2261,6 +2261,10 @@ g_byte_array_steal (GByteArray *array,
+  * Create byte array containing the data. The data will be owned by the array
+  * and will be freed with g_free(), i.e. it could be allocated using g_strdup().
+  *
+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
+ * stores the length of its data in #guint, which may be shorter than
+ * #gsize.
+ *
+  * Since: 2.32
+  *
+  * Returns: (transfer full): a new #GByteArray
+@@ -2272,6 +2276,8 @@ g_byte_array_new_take (guint8 *data,
+   GByteArray *array;
+   GRealArray *real;
+ 
+  g_return_val_if_fail (len <= G_MAXUINT, NULL);
+
+   array = g_byte_array_new ();
+   real = (GRealArray *)array;
+   g_assert (real->data == NULL);
+diff --git a/glib/gbytes.c b/glib/gbytes.c
+index 00fd79155..aaadf451b 100644
+--- a/glib/gbytes.c
+++ b/glib/gbytes.c
+@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
+  * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
+  * other cases the data is copied.
+  *
+ * Do not use it if @bytes contains more than %G_MAXUINT
+ * bytes. #GByteArray stores the length of its data in #guint, which
+ * may be shorter than #gsize, that @bytes is using.
+ *
+  * Returns: (transfer full): a new mutable #GByteArray containing the same byte data
+  *
+  * Since: 2.32
+-- 
+GitLab
--- a/glib2.spec
+++ b/glib2.spec
@ -1,6 +1,6 @@
 Name:           glib2
 Version:        2.62.5
-Release:        2
+Release:        3
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            http://www.gtk.org
@ -8,6 +8,7 @@ Source0:        http://download.gnome.org/sources/glib/2.62/glib-%{version}.tar.

 Patch9001:      fix-accidentally-delete-temp-file-within-dtrace.patch
 Patch6000:      backport-CVE-2020-35457.patch 
+Patch6001:      backport-CVE-2021-27218.patch

 BuildRequires:  chrpath gcc gcc-c++ gettext gtk-doc perl-interpreter
 BUildRequires:  glibc-devel libattr-devel libselinux-devel meson
@ -144,6 +145,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %doc %{_datadir}/gtk-doc/html/*

 %changelog
+* Mon Mar 1 2021 jinzhimin<jinzhimin2@huawei.com> - 2.62.5-3
+- Type:cve
+- Id:CVE-2021-27218
+- SUG:NA
+- DESC:fix CVE-2021-27218
+
 * Sat Feb 27 2021 zhujunhao<zhujunhao8@huawei.com> - 2.62.5-2
 - Type:cve
 - Id:CVE-2020-35457