Bug 1129429 - (CVE-2019-9633) VUL-0: CVE-2019-9633: glib,glib2: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service
(CVE-2019-9633)
VUL-0: CVE-2019-9633: glib,glib2: g_socket_client_connected_callback in gio/g...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/226034/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-15 13:59 UTC by Robert Frohl
Modified: 2020-05-12 18:34 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (126.56 KB, text/html)
2019-03-18 10:00 UTC, Robert Frohl
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-03-15 13:59:34 UTC
rh#1687805

gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).

Upstream patch:
https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e

Upstream issue:
https://gitlab.gnome.org/GNOME/glib/issues/1649

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1687805
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9633
Comment 1 Robert Frohl 2019-03-15 14:30:44 UTC
looking at the patch only glib2 in these codestreams seems affected:
- SUSE:SLE-12:Update
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-15:Update
Comment 2 Robert Frohl 2019-03-18 10:00:42 UTC
Created attachment 800368 [details]
QA Reproducer

# download spoof.html and open in Epiphany
-> url bar shows spoofed address: 'https://www.Gmail.com:8080' (but should be file://<path>)
Comment 3 Qiang Zheng 2019-03-19 08:29:42 UTC
After some research, the fix is based on some latest commits on upstream, our product code  do not use some structures and functions and are far behind it, upgrade is recommend.
Comment 4 Marcus Meissner 2019-04-09 15:19:49 UTC
how big of a jump would that be? from which to which version?
Comment 5 Qiang Zheng 2019-04-16 05:44:23 UTC
This was a bug in GLib 2.59.1 only, and SUSE:SLE-15:Update/glib2/glib-2.54.3, SUSE:SLE-12:Update/glib2/glib-2.38.2, SUSE:SLE-12-SP2:Update/glib2/glib-2.48.2 do not have.
Comment 6 Marcus Meissner 2019-04-16 06:03:06 UTC
thanks, marked it as such and closing :)