GLib's GVariant deserialization prior to GLib 2.74.4 failed to validate the input conforms to the expected format, leading to denial of service. Referenves: https://gitlab.gnome.org/GNOME/glib/-/issues/2794
Created glib tracking bugs for this issue: Affects: epel-all [bug 2212699] Created glib2 tracking bugs for this issue: Affects: fedora-37 [bug 2212700] Affects: fedora-38 [bug 2212704] Created mingw-glib2 tracking bugs for this issue: Affects: fedora-37 [bug 2212701] Affects: fedora-38 [bug 2212707]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6631 https://access.redhat.com/errata/RHSA-2023:6631
This vulnerability allows for a denial of service attack to be performed against applications that process untrusted GVariant input, compromising application availability by consuming excessive processing time or utilizing a large quantity of memory. The most likely threat is from a local user, which may be possible depending on the configuration of the service and the format of parameters that it expects. While a remote attack is possible if the application is configured to read GVariants over a network connection, this is not the default configuration which makes the likelihood low. Because the most widely available attack vector is local and the consequences are limited to denial of service, Red Hat Product Security rates the impact as Low.