An integer overflow vulnerability exists in the g_string_maybe_expand() function of the GLib library. When extremely large strings are used and more data is appended, an internal size calculation can wrap around, making the system incorrectly assume that there’s enough space in the buffer. This leads to a buffer overflow, causing memory corruption or a crash. Although difficult to exploit in practice due to the extremely large memory conditions required, this issue could be triggered remotely if an application accepts large untrusted input and uses GString for string operations.
Affected versions: GLib 2.75.3 until 2.84.3
(In reply to Abhishek Raj from comment #1) > Affected versions: GLib 2.75.3 until 2.84.3 Hello. Are you sure 2.84.3 is affected as well ? If the fix is the following one: https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2 Then it has been embedded into 2.85.1 [1] and 2.84.3 [2][3] [1] https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2 [2] https://github.com/GNOME/glib/commit/37eecaa7efc48a0df22277444ff25ff791ac0ac1 [3] https://github.com/GNOME/glib/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b Can you please confirm ? Thanks
(In reply to Wilfried P from comment #2) > If the fix is the following one: > https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2 Yes, that's the fix. It caused a regression that was fixed in 2.85.2 with: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4681 https://github.com/GNOME/glib/commit/e6b4c28bbaa381785ea319888278906454ff9e0e
(In reply to Wilfried P from comment #2) > If the fix is the following one: > https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2 > > Then it has been embedded into 2.85.1 [1] and 2.84.3 [2][3] > > [1] > https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2 > [3] > https://github.com/GNOME/glib/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b Yes, [3] is the backport of the fix for 2.84.x.