SB2023041955 - Multiple vulnerabilities in Gnome GLib
Published: April 19, 2023 Updated: June 15, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2023-25180)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling a serialised variant. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2023-24593)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling a text-form variant. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Heap-based buffer overflow (CVE-ID: CVE-2023-32643)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the g_variant_serialised_get_child() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Input validation error (CVE-ID: CVE-2023-29499)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Resource exhaustion (CVE-ID: CVE-2023-32611)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the g_variant_byteswap() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Resource exhaustion (CVE-ID: CVE-2023-32665)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
7) Input validation error (CVE-ID: CVE-2023-32636)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted GVariants to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835
- https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
- https://bugzilla.redhat.com/show_bug.cgi?id=2181182
- https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125
- https://bugzilla.redhat.com/show_bug.cgi?id=2181183
- https://bugzilla.redhat.com/show_bug.cgi?id=2211832
- https://gitlab.gnome.org/GNOME/glib/-/issues/2840
- https://bugzilla.redhat.com/show_bug.cgi?id=2211828
- https://gitlab.gnome.org/GNOME/glib/-/issues/2794
- https://bugzilla.redhat.com/show_bug.cgi?id=2211829
- https://gitlab.gnome.org/GNOME/glib/-/issues/2797
- https://bugzilla.redhat.com/show_bug.cgi?id=2211827
- https://gitlab.gnome.org/GNOME/glib/-/issues/2121
- https://bugzilla.redhat.com/show_bug.cgi?id=2211833
- https://gitlab.gnome.org/GNOME/glib/-/issues/2841