packages/glib2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
glib2/backport-CVE-2025-3360.patch
Funda Wang ee58f0c617 fix CVE-2025-3360, CVE-2025-4373 
(cherry picked from commit 69daba21bdd3c36bb0eca8711dfec8084c7f4c2d)
2025-05-12 15:34:03 +08:00

329 lines
11 KiB
Diff
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From fe6af80931c35fafc6a2cd0651b6de052d1bffae Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 18 Feb 2025 16:44:58 +0000
Subject: [PATCH 1/6] gdatetime: Fix integer overflow when parsing very long
ISO8601 inputs
This will only happen with invalid (or maliciously invalid) potential
ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust
against that.
Prevent `length` overflowing by correctly defining it as a `size_t`.
Similarly for `date_length`, but additionally track its validity in a
boolean rather than as its sign.
Spotted by chamalsl as #YWH-PGM9867-43.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gdatetime.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/glib/gdatetime.c b/glib/gdatetime.c
index ad9c190b6b..b33db2c20c 100644
--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
@@ -1544,7 +1544,8 @@ parse_iso8601_time (const gchar *text, gsize length,
GDateTime *
g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
{
- gint length, date_length = -1;
+ size_t length, date_length = 0;
+ gboolean date_length_set = FALSE;
gint hour = 0, minute = 0;
gdouble seconds = 0.0;
GTimeZone *tz = NULL;
@@ -1555,11 +1556,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
/* Count length of string and find date / time separator ('T', 't', or ' ') */
for (length = 0; text[length] != '\0'; length++)
{
- if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
- date_length = length;
+ if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
+ {
+ date_length = length;
+ date_length_set = TRUE;
+ }
}
- if (date_length < 0)
+ if (!date_length_set)
return NULL;
if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),
--
GitLab
From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 18 Feb 2025 16:51:36 +0000
Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone
offset handling
This one is much harder to trigger than the one in the previous commit,
but mixing `gssize` and `gsize` always runs the risk of the former
overflowing for very (very very) long input strings.
Avoid that possibility by not using the sign of the `tz_offset` to
indicate its validity, and instead using the return value of the
function.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gdatetime.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/glib/gdatetime.c b/glib/gdatetime.c
index b33db2c20c..792c2ed15b 100644
--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
@@ -1393,8 +1393,10 @@ parse_iso8601_date (const gchar *text, gsize length,
return FALSE;
}
+/* Value returned in tz_offset is valid if and only if the function return value
+ * is non-NULL. */
static GTimeZone *
-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
+parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
{
gint i, tz_length, offset_hours, offset_minutes;
gint offset_sign = 1;
@@ -1462,11 +1464,11 @@ static gboolean
parse_iso8601_time (const gchar *text, gsize length,
gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz)
{
- gssize tz_offset = -1;
+ size_t tz_offset = 0;
/* Check for timezone suffix */
*tz = parse_iso8601_timezone (text, length, &tz_offset);
- if (tz_offset >= 0)
+ if (*tz != NULL)
length = tz_offset;
/* hh:mm:ss(.sss) */
--
GitLab
From 5e8a3c19fcad2936dc5e070cf0767a5c5af907c5 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 18 Feb 2025 16:55:18 +0000
Subject: [PATCH 3/6] gdatetime: Track timezone length as an unsigned size_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Its guaranteed to be in (0, length] by the calculations above.
This avoids the possibility of integer overflow through `gssize` not
being as big as `size_t`.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gdatetime.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/glib/gdatetime.c b/glib/gdatetime.c
index 792c2ed15b..6335bcbe2d 100644
--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
@@ -1398,7 +1398,8 @@ parse_iso8601_date (const gchar *text, gsize length,
static GTimeZone *
parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
{
- gint i, tz_length, offset_hours, offset_minutes;
+ size_t tz_length;
+ gint i, offset_hours, offset_minutes;
gint offset_sign = 1;
GTimeZone *tz;
--
GitLab
From 804a3957720449dcfac601da96bd5f5db2b71ef1 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 18 Feb 2025 17:07:24 +0000
Subject: [PATCH 4/6] gdatetime: Factor out some string pointer arithmetic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Makes the following code a little clearer, but doesnt introduce any
functional changes.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gdatetime.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/glib/gdatetime.c b/glib/gdatetime.c
index 6335bcbe2d..de5dd7af06 100644
--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
@@ -1402,6 +1402,7 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
gint i, offset_hours, offset_minutes;
gint offset_sign = 1;
GTimeZone *tz;
+ const char *tz_start;
/* UTC uses Z suffix */
if (length > 0 && text[length - 1] == 'Z')
@@ -1419,34 +1420,35 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
}
if (i < 0)
return NULL;
+ tz_start = text + i;
tz_length = length - i;
/* +hh:mm or -hh:mm */
- if (tz_length == 6 && text[i+3] == ':')
+ if (tz_length == 6 && tz_start[3] == ':')
{
- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
- !get_iso8601_int (text + i + 4, 2, &offset_minutes))
+ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
+ !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
return NULL;
}
/* +hhmm or -hhmm */
else if (tz_length == 5)
{
- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
- !get_iso8601_int (text + i + 3, 2, &offset_minutes))
+ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
+ !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
return NULL;
}
/* +hh or -hh */
else if (tz_length == 3)
{
- if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
+ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
return NULL;
offset_minutes = 0;
}
else
return NULL;
- *tz_offset = i;
- tz = g_time_zone_new_identifier (text + i);
+ *tz_offset = tz_start - text;
+ tz = g_time_zone_new_identifier (tz_start);
/* Double-check that the GTimeZone matches our interpretation of the timezone.
* This can fail because our interpretation is less strict than (for example)
--
GitLab
From 4c56ff80344e0d8796eb2307091f7b24ec198aa9 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 18 Feb 2025 17:28:33 +0000
Subject: [PATCH 5/6] gdatetime: Factor out an undersized variable
For long input strings, it would have been possible for `i` to overflow.
Avoid that problem by using the `tz_length` instead, so that we count up
rather than down.
This commit introduces no functional changes (outside of changing
undefined behaviour), and can be verified using the identity
`i === length - tz_length`.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gdatetime.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/glib/gdatetime.c b/glib/gdatetime.c
index de5dd7af06..2f8c864a1f 100644
--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
@@ -1399,7 +1399,7 @@ static GTimeZone *
parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
{
size_t tz_length;
- gint i, offset_hours, offset_minutes;
+ gint offset_hours, offset_minutes;
gint offset_sign = 1;
GTimeZone *tz;
const char *tz_start;
@@ -1412,16 +1412,15 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
}
/* Look for '+' or '-' of offset */
- for (i = length - 1; i >= 0; i--)
- if (text[i] == '+' || text[i] == '-')
+ for (tz_length = 1; tz_length <= length; tz_length++)
+ if (text[length - tz_length] == '+' || text[length - tz_length] == '-')
{
- offset_sign = text[i] == '-' ? -1 : 1;
+ offset_sign = text[length - tz_length] == '-' ? -1 : 1;
break;
}
- if (i < 0)
+ if (tz_length > length)
return NULL;
- tz_start = text + i;
- tz_length = length - i;
+ tz_start = text + length - tz_length;
/* +hh:mm or -hh:mm */
if (tz_length == 6 && tz_start[3] == ':')
--
GitLab
From 7f6d81130ec05406a8820bc753ed03859e88daea Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 18 Feb 2025 18:20:56 +0000
Subject: [PATCH 6/6] tests: Add some missing GDateTime ISO8601 parsing tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This improves test coverage, adding coverage for some lines which I
spotted were not covered while testing the preceding commits.
It doesnt directly test the preceding commits, though.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/tests/gdatetime.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
index 9e1acd097b..94dd028a3a 100644
--- a/glib/tests/gdatetime.c
+++ b/glib/tests/gdatetime.c
@@ -866,6 +866,23 @@ test_GDateTime_new_from_iso8601 (void)
* NaN */
dt = g_date_time_new_from_iso8601 ("0005306 000001,666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666600080000-00", NULL);
g_assert_null (dt);
+
+ /* Various invalid timezone offsets which look like they could be in
+ * `+hh:mm`, `-hh:mm`, `+hhmm`, `-hhmm`, `+hh` or `-hh` format */
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01:xx", NULL);
+ g_assert_null (dt);
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:00", NULL);
+ g_assert_null (dt);
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:xx", NULL);
+ g_assert_null (dt);
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01xx", NULL);
+ g_assert_null (dt);
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx00", NULL);
+ g_assert_null (dt);
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xxxx", NULL);
+ g_assert_null (dt);
+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx", NULL);
+ g_assert_null (dt);
}
typedef struct {
--
GitLab
Reference in New Issue View Git Blame Copy Permalink