Bug 1211948 (CVE-2023-32636)

Summary: VUL-0: CVE-2023-32636: glib2: fuzz_variant_text: timeout in fuzz_variant_text()
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/368203/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-32636:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-06-02 08:24:02 UTC 
CVE-2023-32636

GLib's GVariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE 2023-29499

References:
https://gitlab.gnome.org/GNOME/glib/-/issues/2841

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32636
https://bugzilla.redhat.com/show_bug.cgi?id=2211833
Comment 1 Carlos López 2023-06-02 08:24:41 UTC 
(In reply to Carlos López from comment #0)
> This bug does not affect any
> released version of GLib, but does affect GLib distributors who followed the
> guidance of GLib developers to backport the initial fix for CVE 2023-29499

This is bsc#1211947
Comment 5 Maintenance Automation 2023-09-05 16:30:23 UTC 
SUSE-SU-2023:3535-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1183533, 1211945, 1211946, 1211947, 1211948, 1211951
CVE References: CVE-2021-28153, CVE-2023-29499, CVE-2023-32611, CVE-2023-32636, CVE-2023-32643, CVE-2023-32665
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): glib2-2.54.3-150000.4.29.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): glib2-2.54.3-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): glib2-2.54.3-150000.4.29.1
SUSE Enterprise Storage 6 (src): glib2-2.54.3-150000.4.29.1
SUSE CaaS Platform 4.0 (src): glib2-2.54.3-150000.4.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.