Bugzilla – Bug 1129429
VUL-0: CVE-2019-9633: glib,glib2: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service
Last modified: 2020-05-12 18:34:49 UTC
rh#1687805 gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany). Upstream patch: https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e Upstream issue: https://gitlab.gnome.org/GNOME/glib/issues/1649 References: https://bugzilla.redhat.com/show_bug.cgi?id=1687805 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9633
looking at the patch only glib2 in these codestreams seems affected: - SUSE:SLE-12:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-15:Update
Created attachment 800368 [details] QA Reproducer # download spoof.html and open in Epiphany -> url bar shows spoofed address: 'https://www.Gmail.com:8080' (but should be file://<path>)
After some research, the fix is based on some latest commits on upstream, our product code do not use some structures and functions and are far behind it, upgrade is recommend.
how big of a jump would that be? from which to which version?
This was a bug in GLib 2.59.1 only, and SUSE:SLE-15:Update/glib2/glib-2.54.3, SUSE:SLE-12:Update/glib2/glib-2.38.2, SUSE:SLE-12-SP2:Update/glib2/glib-2.48.2 do not have.
thanks, marked it as such and closing :)