1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202311-18 ] GLib: Multiple Vulnerabilities

    From [email protected]@21:1/5 to All on Mon Nov 27 13:40:01 2023
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202311-18
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: GLib: Multiple Vulnerabilities
    Date: November 27, 2023
    Bugs: #886197, #887807
    ID: 202311-18

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Multiple vulnerabilities have been discovered in GLib.

    Background
    ==========

    GLib is a library providing a number of GNOME's core objects and
    functions.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------- ------------ ------------
    dev-libs/glib < 2.74.4 >= 2.74.4

    Description
    ===========

    Multiple vulnerabilities have been discovered in GLib. Please review the referenced CVEs for details.

    Impact
    ======

    GVariant deserialization is vulnerable to an exponential blowup issue
    where a crafted GVariant can cause excessive processing, leading to
    denial of service.

    GVariant deserialization fails to validate that the input conforms to
    the expected format, leading to denial of service.

    GVariant deserialization is vulnerable to a slowdown issue where a
    crafted GVariant can cause excessive processing, leading to denial of
    service.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All GLib users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.74.4"

    References
    ==========

    [ 1 ] CVE-2023-29499
    https://nvd.nist.gov/vuln/detail/CVE-2023-29499
    [ 2 ] CVE-2023-32611
    https://nvd.nist.gov/vuln/detail/CVE-2023-32611
    [ 3 ] CVE-2023-32665
    https://nvd.nist.gov/vuln/detail/CVE-2023-32665

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202311-18

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2023 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmVki40ACgkQFMQkOaVy +9ncNRAAg2dZKBzL6eeiRQYPRL7IrEC3s8WnhyFcubcBDpxrExUDFVlDZVep5dos BXmcHc/6g8j8lYAoGcmI7ggEgheEAic7I5yIviJjBwDDnyDMKWfwk29rXg/xKPlo DnhbyMU0Qo9hrntqdz/+XShZdSYGwQNSaIuuLFYNr8CSTUSoC9NZRN+YJKJePjnc oZWutQfG1I795FJnjEmKYMEaGnsxBPDe3datT6vKYCevlWk70M2ORfH5Z5deo6c+ pgxwcd7eMUpmvi/pQSRiKU0slbC31N08ubBnqiXkmBQz4ha+bp/LqwF1wSPNeFpi wMWRZ1KZbssnIhetv/xIVBEeberF061DHbVQLpAcxnkcwhrNmLwKcDRHLYIt1ThZ IIvSUPCuVX3HhPo+I1xG9CkY1OXZ3iQHjj3RyV2OFjIx9l91TeZiqSljnwWz+UOR 1oVZqbQpto/T8viGMHeltl+bH342UeztngS62pwAMZ+lanp6KxcOphQ/AK72lfAz bRLPY+2ZyS4sK23Yz4l6NumeI6HsV+WMxMgPKA6qS0N+YZaq+AqzYQvy4UxaVJox XEWXW1xElWYvdV6Ql3Fq0r8NHKbIW/OJkwWOmjQpMHVwd2wCFdGZb6fyldMMdXoh w1qIMymD9sMQRGC/Zm4J9bzL19kSA9LyC/DbiqdT4/Qvyed80No=
    =8nel
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)