Bug 1929858 (CVE-2021-27219) - CVE-2021-27219 glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits
Summary: CVE-2021-27219 glib: integer overflow in g_bytes_new function on 64-bit platf...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27219
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1941686 1929859 1929860 1929861 1929862 1939107 1939108 1939109 1939110 1939111 1941679 1941680 1941681 1941682 1941684 1941685 1941687 1941688 1941689 1960591 1960592 1960593 1960594 1960595 1960596 1960597 1960598 1960599 1960600 1960601 1967845 1967846
Blocks: 1929863
TreeView+ depends on / blocked
 
Reported: 2021-02-17 19:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-17 12:57 UTC (History)
42 users (show)

Fixed In Version: glib 2.67.3, glib 2.66.6
Doc Type: If docs needed, set a value
Doc Text:
An integer wraparound was discovered in glib due to passing a 64 bit sized value to function g_memdup() which accepts a 32 bits number as argument. An attacker may abuse this flaw when an application linked against the glib library uses g_bytes_new() function or possibly other functions that use g_memdup() underneath and accept a 64 bits argument as size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-31 11:32:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2252 0 None None None 2021-06-07 12:23:31 UTC
Red Hat Product Errata RHBA-2021:2253 0 None None None 2021-06-07 12:22:56 UTC
Red Hat Product Errata RHBA-2021:2254 0 None None None 2021-06-07 12:30:42 UTC
Red Hat Product Errata RHBA-2021:2255 0 None None None 2021-06-07 12:22:11 UTC
Red Hat Product Errata RHBA-2021:2256 0 None None None 2021-06-07 12:31:13 UTC
Red Hat Product Errata RHBA-2021:2265 0 None None None 2021-06-07 14:05:49 UTC
Red Hat Product Errata RHBA-2021:2266 0 None None None 2021-06-07 14:06:28 UTC
Red Hat Product Errata RHBA-2021:2281 0 None None None 2021-06-07 22:22:05 UTC
Red Hat Product Errata RHBA-2021:2282 0 None None None 2021-06-07 22:11:32 UTC
Red Hat Product Errata RHBA-2021:2283 0 None None None 2021-06-07 22:22:36 UTC
Red Hat Product Errata RHBA-2021:2295 0 None None None 2021-06-08 17:05:59 UTC
Red Hat Product Errata RHBA-2021:2366 0 None None None 2021-06-09 16:35:46 UTC
Red Hat Product Errata RHBA-2021:2373 0 None None None 2021-06-10 09:30:35 UTC
Red Hat Product Errata RHBA-2021:2376 0 None None None 2021-06-10 12:32:20 UTC
Red Hat Product Errata RHBA-2021:2377 0 None None None 2021-06-10 11:50:52 UTC
Red Hat Product Errata RHBA-2021:2378 0 None None None 2021-06-10 11:50:22 UTC
Red Hat Product Errata RHBA-2021:2403 0 None None None 2021-06-14 13:19:05 UTC
Red Hat Product Errata RHBA-2021:2404 0 None None None 2021-06-14 13:08:50 UTC
Red Hat Product Errata RHBA-2021:2411 0 None None None 2021-06-14 14:18:10 UTC
Red Hat Product Errata RHBA-2021:2412 0 None None None 2021-06-14 14:56:17 UTC
Red Hat Product Errata RHBA-2021:2413 0 None None None 2021-06-14 14:40:36 UTC
Red Hat Product Errata RHBA-2021:2423 0 None None None 2021-06-14 22:02:49 UTC
Red Hat Product Errata RHBA-2021:2434 0 None None None 2021-06-15 11:28:10 UTC
Red Hat Product Errata RHBA-2021:2443 0 None None None 2021-06-15 15:37:09 UTC
Red Hat Product Errata RHBA-2021:2444 0 None None None 2021-06-15 15:40:46 UTC
Red Hat Product Errata RHBA-2021:2448 0 None None None 2021-06-15 16:36:36 UTC
Red Hat Product Errata RHBA-2021:2513 0 None None None 2021-06-21 19:18:23 UTC
Red Hat Product Errata RHBA-2021:2527 0 None None None 2021-06-23 09:11:16 UTC
Red Hat Product Errata RHBA-2021:2539 0 None None None 2021-06-23 20:46:20 UTC
Red Hat Product Errata RHBA-2021:2600 0 None None None 2021-06-29 15:04:49 UTC
Red Hat Product Errata RHBA-2021:2627 0 None None None 2021-06-29 19:48:07 UTC
Red Hat Product Errata RHBA-2021:2633 0 None None None 2021-07-01 01:32:27 UTC
Red Hat Product Errata RHBA-2021:2637 0 None None None 2021-07-01 14:46:51 UTC
Red Hat Product Errata RHBA-2021:2640 0 None None None 2021-07-05 09:04:22 UTC
Red Hat Product Errata RHBA-2021:2645 0 None None None 2021-07-05 10:11:44 UTC
Red Hat Product Errata RHBA-2021:2650 0 None None None 2021-07-05 11:08:36 UTC
Red Hat Product Errata RHBA-2021:2651 0 None None None 2021-07-05 11:11:39 UTC
Red Hat Product Errata RHBA-2021:2699 0 None None None 2021-07-13 14:13:42 UTC
Red Hat Product Errata RHBA-2021:2744 0 None None None 2021-07-15 12:13:15 UTC
Red Hat Product Errata RHBA-2021:3132 0 None None None 2021-08-11 07:24:02 UTC
Red Hat Product Errata RHSA-2021:2467 0 None None None 2021-06-17 10:05:46 UTC
Red Hat Product Errata RHSA-2021:2519 0 None None None 2021-06-22 13:20:39 UTC
Red Hat Product Errata RHSA-2021:2522 0 None None None 2021-06-22 15:27:02 UTC
Red Hat Product Errata RHSA-2021:4526 0 None None None 2021-11-09 19:06:55 UTC

Description Guilherme de Almeida Suckevicz 2021-02-17 19:18:46 UTC 
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.

Reference:
https://gitlab.gnome.org/GNOME/glib/-/issues/2319
Comment 1 Guilherme de Almeida Suckevicz 2021-02-17 19:19:17 UTC 
Created glib tracking bugs for this issue:

Affects: epel-7 [bug 1929861]
Affects: fedora-all [bug 1929859]


Created glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1929860]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1929862]
Comment 2 Riccardo Schirone 2021-03-15 15:01:06 UTC 
Upstream patches:
https://gitlab.gnome.org/GNOME/glib/-/commit/20cfc75d148e3be0c026cc7eff3a9cdb72bf5c56 [2.67.x]
https://gitlab.gnome.org/GNOME/glib/-/commit/e8fe1d51fe07f506211680c76145eea737f4bf30 [2.66.x]
Comment 7 Riccardo Schirone 2021-05-13 14:21:43 UTC 
GBytes is used to have an immutable representation of an array of bytes, so applications may read from it rather than writing user-controlled data into the allocated buffer. That effectively makes this more similar to an out-of-bounds read than to a flaw allowing (at least directly) memory corruption. For this reason, this flaw was rated as having a Moderate impact.
Comment 11 Riccardo Schirone 2021-05-14 08:56:59 UTC 
In reply to comment #7:
> GBytes is used to have an immutable representation of an array of bytes, so
> applications may read from it rather than writing user-controlled data into
> the allocated buffer. That effectively makes this more similar to an
> out-of-bounds read than to a flaw allowing (at least directly) memory
> corruption. For this reason, this flaw was rated as having a Moderate impact.

After re-analyzing this issue, we re-evaluated this flaw as having an Important impact. This is due to the fact that the buffer allocated within GBytes could be taken through functions such as g_bytes_unref_to_data, which would report the wrong (big) size. Such data pointer and size could be used to write data into the raw buffer, wrongly assuming that `size` bytes are available in the buffer, though only a small amount of bytes have been allocated due to the integer truncation within GBytes. Such writes would be out-of-bounds and they could allow an attacker to execute code with the privileges of the application.
Comment 19 errata-xmlrpc 2021-05-31 10:14:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2147 https://access.redhat.com/errata/RHSA-2021:2147
Comment 20 Product Security DevOps Team 2021-05-31 11:32:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27219
Comment 21 errata-xmlrpc 2021-06-01 10:46:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2172 https://access.redhat.com/errata/RHSA-2021:2172
Comment 22 errata-xmlrpc 2021-06-01 10:52:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:2173 https://access.redhat.com/errata/RHSA-2021:2173
Comment 23 errata-xmlrpc 2021-06-01 10:55:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2171 https://access.redhat.com/errata/RHSA-2021:2171
Comment 24 errata-xmlrpc 2021-06-01 11:21:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2174 https://access.redhat.com/errata/RHSA-2021:2174
Comment 25 errata-xmlrpc 2021-06-01 11:42:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2170 https://access.redhat.com/errata/RHSA-2021:2170
Comment 26 errata-xmlrpc 2021-06-01 12:02:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2175 https://access.redhat.com/errata/RHSA-2021:2175
Comment 27 errata-xmlrpc 2021-06-02 14:58:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:2203 https://access.redhat.com/errata/RHSA-2021:2203
Comment 28 errata-xmlrpc 2021-06-02 16:33:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:2204 https://access.redhat.com/errata/RHSA-2021:2204
Comment 29 Vance 2021-06-03 16:01:58 UTC 
This vulnerability is also present in the latest ubi8 image. When can we expect a new image?

Thanks!
Comment 35 errata-xmlrpc 2021-06-17 10:05:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:2467 https://access.redhat.com/errata/RHSA-2021:2467
Comment 36 errata-xmlrpc 2021-06-22 13:20:31 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:2519 https://access.redhat.com/errata/RHSA-2021:2519
Comment 37 errata-xmlrpc 2021-06-22 14:55:00 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522
Comment 38 errata-xmlrpc 2021-06-22 15:26:29 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522
Comment 41 errata-xmlrpc 2021-11-09 19:06:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4526 https://access.redhat.com/errata/RHSA-2021:4526
Note You need to log in before you can comment on or make changes to this bug.