Bug 2211833 (CVE-2023-32636) - CVE-2023-32636 glib: Timeout in fuzz_variant_text
Summary: CVE-2023-32636 glib: Timeout in fuzz_variant_text
Keywords:
Status: NEW
Alias: CVE-2023-32636
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2212720 2212721 2212722 2212723 2212724 2212725 2212726 2212727 2212728
Blocks: 2160453
TreeView+ depends on / blocked
 
Reported: 2023-06-02 07:25 UTC by Dhananjay Arunesh
Modified: 2024-01-30 14:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2023-06-02 07:25:50 UTC
GLib's GVariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-29499

References:
https://gitlab.gnome.org/GNOME/glib/-/issues/2841

Comment 2 Dhananjay Arunesh 2023-06-06 07:26:16 UTC
Created glib tracking bugs for this issue:

Affects: epel-all [bug 2212720]


Created glib2 tracking bugs for this issue:

Affects: fedora-37 [bug 2212721]
Affects: fedora-38 [bug 2212726]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-37 [bug 2212723]
Affects: fedora-38 [bug 2212728]

Comment 3 Michael Catanzaro 2023-06-06 13:54:24 UTC
Remember that RHEL 8 and RHEL 9 are not affected by this issue. I didn't attempt to fix the earlier CVEs in RHEL 8, and in RHEL 9 I only fixed them for 9.3, which has not yet been released.

Comment 6 Dhananjay Arunesh 2024-01-22 10:25:11 UTC
This vulnerability allows for a denial of service attack to be performed against applications that process  untrusted GVariant input, compromising application availability by consuming excessive processing time or utilizing a large quantity of memory. The most likely threat is from a local user, which may be possible depending on the configuration of the service and the format of parameters that it expects. While a remote attack is possible if the application is configured to read GVariants over a network connection, this is not the default configuration which makes the likelihood low. Because the most widely available attack vector is local and the consequences are limited to denial of service, Red Hat Product Security rates the impact as Low.


Note You need to log in before you can comment on or make changes to this bug.