Bug 2325340 (CVE-2024-52533)

Summary: CVE-2024-52533 glib: buffer overflow in set_connect_msg()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, dave.mcinnis, kshier, mcatanza, omaciel, prodsec-dev, shaising, stcannon, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---Flags: omaciel: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Glib library. A buffer overflow condition can be triggered in certain conditions due to an off-by-one error in SOCKS4_CONN_MSG_LEN. This issue may lead to an application crash or other undefined behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2325360, 2325361, 2325362    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-11 23:01:12 UTC 
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
Comment 2 David McInnis 2024-11-27 20:59:45 UTC 
RHEL 9 is in a "Will not fix" state according to CVE-2024-52533.

Can anyone explain the justification for not fixing for RHEL9?

Also, is there a link with additional Red Hat information beyond this bug and the CVE page?

Thanks,

-Dave
Comment 4 Alison Dudiak 2025-01-15 18:25:17 UTC 
I believe I have been incorrectly added to this ticket. Nothing to report.
Comment 5 errata-xmlrpc 2025-02-04 00:29:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:0936 https://access.redhat.com/errata/RHSA-2025:0936
Comment 7 Michael Catanzaro 2025-04-14 16:56:16 UTC 
(In reply to David McInnis from comment #2)
> RHEL 9 is in a "Will not fix" state according to CVE-2024-52533.
> 
> Can anyone explain the justification for not fixing for RHEL9?

Hi, this is a very low-severity issue. Only affects you if (a) username component of URL is exactly 255 bytes, AND (b) hostname component of URL is also exactly 255 bytes. In the extremely unlikely event you're using a socks4a proxy with a URL that meets both of those conditions, or have decided to allow an attacker to specify which proxy URLs to use for some very strange reason, then the impact is a one byte out of bounds write that is not attacker-controlled (it will always be the trailing nul byte). Suffice to say CVSS scores do not always map well to actual risk, and I wouldn't worry about this one.

If I were analyzing this today, I would not have requested a CVE at all since the risk here is very low. Surely there are very many far more serious issues that never receive CVE IDs. However, it is an out of bounds write, so it is technically a vulnerability.

> Also, is there a link with additional Red Hat information beyond this bug
> and the CVE page?

See: https://gitlab.gnome.org/GNOME/glib/-/issues/3461