An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. Reference: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
Created glib tracking bugs for this issue: Affects: epel-7 [bug 1929861] Affects: fedora-all [bug 1929859] Created glib2 tracking bugs for this issue: Affects: fedora-all [bug 1929860] Created mingw-glib2 tracking bugs for this issue: Affects: fedora-all [bug 1929862]
Upstream patches: https://gitlab.gnome.org/GNOME/glib/-/commit/20cfc75d148e3be0c026cc7eff3a9cdb72bf5c56 [2.67.x] https://gitlab.gnome.org/GNOME/glib/-/commit/e8fe1d51fe07f506211680c76145eea737f4bf30 [2.66.x]
GBytes is used to have an immutable representation of an array of bytes, so applications may read from it rather than writing user-controlled data into the allocated buffer. That effectively makes this more similar to an out-of-bounds read than to a flaw allowing (at least directly) memory corruption. For this reason, this flaw was rated as having a Moderate impact.
In reply to comment #7: > GBytes is used to have an immutable representation of an array of bytes, so > applications may read from it rather than writing user-controlled data into > the allocated buffer. That effectively makes this more similar to an > out-of-bounds read than to a flaw allowing (at least directly) memory > corruption. For this reason, this flaw was rated as having a Moderate impact. After re-analyzing this issue, we re-evaluated this flaw as having an Important impact. This is due to the fact that the buffer allocated within GBytes could be taken through functions such as g_bytes_unref_to_data, which would report the wrong (big) size. Such data pointer and size could be used to write data into the raw buffer, wrongly assuming that `size` bytes are available in the buffer, though only a small amount of bytes have been allocated due to the integer truncation within GBytes. Such writes would be out-of-bounds and they could allow an attacker to execute code with the privileges of the application.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2147 https://access.redhat.com/errata/RHSA-2021:2147
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27219
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2172 https://access.redhat.com/errata/RHSA-2021:2172
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:2173 https://access.redhat.com/errata/RHSA-2021:2173
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2171 https://access.redhat.com/errata/RHSA-2021:2171
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:2174 https://access.redhat.com/errata/RHSA-2021:2174
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2170 https://access.redhat.com/errata/RHSA-2021:2170
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2175 https://access.redhat.com/errata/RHSA-2021:2175
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:2203 https://access.redhat.com/errata/RHSA-2021:2203
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:2204 https://access.redhat.com/errata/RHSA-2021:2204
This vulnerability is also present in the latest ubi8 image. When can we expect a new image? Thanks!
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2021:2467 https://access.redhat.com/errata/RHSA-2021:2467
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2021:2519 https://access.redhat.com/errata/RHSA-2021:2519
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4526 https://access.redhat.com/errata/RHSA-2021:4526