Bug 2211833 (CVE-2023-32636)

Summary: CVE-2023-32636 glib: Timeout in fuzz_variant_text
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mcatanza, mdean, rh-spice-bugs, virt-maint, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2212727, 2212720, 2212721, 2212722, 2212723, 2212724, 2212725, 2212726, 2212728    
Bug Blocks: 2160453    

Description Dhananjay Arunesh 2023-06-02 07:25:50 UTC 
GLib's GVariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-29499

References:
https://gitlab.gnome.org/GNOME/glib/-/issues/2841
Comment 2 Dhananjay Arunesh 2023-06-06 07:26:16 UTC 
Created glib tracking bugs for this issue:

Affects: epel-all [bug 2212720]


Created glib2 tracking bugs for this issue:

Affects: fedora-37 [bug 2212721]
Affects: fedora-38 [bug 2212726]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-37 [bug 2212723]
Affects: fedora-38 [bug 2212728]
Comment 3 Michael Catanzaro 2023-06-06 13:54:24 UTC 
Remember that RHEL 8 and RHEL 9 are not affected by this issue. I didn't attempt to fix the earlier CVEs in RHEL 8, and in RHEL 9 I only fixed them for 9.3, which has not yet been released.