Bugzilla – Bug 1211945
VUL-0: CVE-2023-32665: glib2: GVariant deserialisation does not match spec for non-normal data
Last modified: 2024-02-22 14:38:35 UTC
CVE-2023-32665 GLib's GVariant deserialization prior to GLib 2.74.4 is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service. References: https://gitlab.gnome.org/GNOME/glib/-/issues/2121 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32665 https://bugzilla.redhat.com/show_bug.cgi?id=2211827 https://bugzilla.redhat.com/show_bug.cgi?id=2211832
Hi Carlos, there seems to be a series of bugs related with glib2: bsc#1211945 bsc#1211946 bsc#1211947 bsc#1211948 bsc#1211951 Some of them are related and dependent on each other. Since the changed code section seems not trivial, could you please confirm which version of SLE do we need the fixes?
Thanks Carlos! As I understood, the SLE-15:Update/glib2 is the only branch we'd consider backport and fix. Daike, could you help to take care of this one please, thank you.
SUSE-SU-2023:3535-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1183533, 1211945, 1211946, 1211947, 1211948, 1211951 CVE References: CVE-2021-28153, CVE-2023-29499, CVE-2023-32611, CVE-2023-32636, CVE-2023-32643, CVE-2023-32665 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): glib2-2.54.3-150000.4.29.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): glib2-2.54.3-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): glib2-2.54.3-150000.4.29.1 SUSE Enterprise Storage 6 (src): glib2-2.54.3-150000.4.29.1 SUSE CaaS Platform 4.0 (src): glib2-2.54.3-150000.4.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.