Bug 1182362 - (CVE-2021-27219) VUL-0: CVE-2021-27219: glib2: integer overflow in g_bytes_new due to an implicit cast from 64 bits to 32 bits
(CVE-2021-27219)
VUL-0: CVE-2021-27219: glib2: integer overflow in g_bytes_new due to an impli...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/277974/
CVSSv3.1:SUSE:CVE-2021-27219:6.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-17 12:10 UTC by Alexandros Toptsoglou
Modified: 2022-06-10 10:16 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2021-02-17 12:10:37 UTC
CVE-2021-27219

An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3.
The function g_bytes_new has an integer overflow on 64-bit platforms due to an
implicit cast from 64 bits to 32 bits. The overflow could potentially lead to
memory corruption.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219
https://gitlab.gnome.org/GNOME/glib/-/issues/2319
Comment 1 Alexandros Toptsoglou 2021-02-17 12:15:29 UTC
Tracked as affected 

SLE12-SP2, SLE15 and SLE15-SP2
Comment 2 Alexandros Toptsoglou 2021-02-17 12:18:10 UTC
Upstream suggests that the backport might create regressions. The upstream fix located at [1] but take care with any related regression fixes as described at [2]. As part of those regression fixes belongs the CVE-2021-27218 at bsc#1182328



[1]https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1926/commits
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/2319
Comment 4 Alynx Zhou 2021-03-04 08:32:00 UTC
https://build.opensuse.org/request/show/876686
SR to GNOME:STABLE:3.34.

This SR contains a long patch (glib2-CVE-2021-27219-add-g_memdup2.patch, nearly 2000 lines) which is made of changes from glgo#GNOME/glib!1927, glgo#GNOME/glib!1933, glgo#GNOME/glib!1943.

glgo#GNOME/glib!1927 is a backport of glgo#GNOME/glib!1926, which adds g_memdup2 as a internal function to prevent api break for old version. This MR has 11 commits to replace g_memdup with g_memdup2 and some tests, I managed to backport it.

And according to https://gitlab.gnome.org/GNOME/glib/-/issues/2319#note_1030152 and https://gitlab.gnome.org/GNOME/glib/-/issues/2319#note_1032376, glgo#GNOME/glib!1933 and glgo#GNOME/glib!1943 are also needed to fix some regression so I also added them into glib2-CVE-2021-27219-add-g_memdup2.patch.

For some older version (SLE-15 and SLE-12-SP2), commit `54317c911` and `9e45b9581` are also need to apply the changes in glgo#GNOME/glib!1943 so I also backported them as internal functions in this patch.

I built the package successfully and run some tests, it's fun, but I am not sure such a complex patch is OK (though it looks just OK :), please tell me if you have advice.
Comment 5 Alynx Zhou 2021-03-04 08:37:04 UTC
https://build.suse.de/request/show/237236
SR to Devel:Desktop:SLE-15
Comment 6 Alynx Zhou 2021-03-04 08:37:42 UTC
https://build.suse.de/request/show/237235
SR to Devel:Desktop:SLE12:SP2
Comment 7 Alynx Zhou 2021-03-05 01:00:29 UTC
Forgot to remove some unused files, I have send new SR to GNOME:STABLE:3.34 and SLE-12-SP2:

https://build.opensuse.org/request/show/876844

https://build.suse.de/request/show/237371
Comment 8 Alynx Zhou 2021-03-05 02:18:06 UTC
https://build.opensuse.org/request/show/876859
SR to GNOME:STABLE:3.26
Comment 9 Alynx Zhou 2021-03-05 07:16:32 UTC
https://build.suse.de/request/show/237382
SR to SLE-12-SP2
Comment 10 Alynx Zhou 2021-03-05 07:30:59 UTC
https://build.suse.de/request/show/237383
SR to SLE-15
Comment 11 Alynx Zhou 2021-03-05 07:34:38 UTC
https://build.suse.de/request/show/237385
SR to SLE-15-SP2
Comment 12 Alynx Zhou 2021-03-12 06:38:57 UTC
SR accepted and assign back to security team.
Comment 13 Swamp Workflow Management 2021-03-12 20:18:59 UTC
SUSE-SU-2021:0778-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182328,1182362
CVE References: CVE-2021-27218,CVE-2021-27219
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    glib2-2.62.6-3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    glib2-2.62.6-3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    glib2-2.62.6-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-03-16 17:19:26 UTC
SUSE-SU-2021:0801-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182328,1182362
CVE References: CVE-2021-27218,CVE-2021-27219
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    glib2-2.48.2-12.22.1
SUSE OpenStack Cloud Crowbar 8 (src):    glib2-2.48.2-12.22.1
SUSE OpenStack Cloud 9 (src):    glib2-2.48.2-12.22.1
SUSE OpenStack Cloud 8 (src):    glib2-2.48.2-12.22.1
SUSE OpenStack Cloud 7 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    glib2-2.48.2-12.22.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    glib2-2.48.2-12.22.1
HPE Helion Openstack 8 (src):    glib2-2.48.2-12.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-03-19 21:21:05 UTC
SUSE-SU-2021:0890-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182328,1182362
CVE References: CVE-2021-27218,CVE-2021-27219
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    glib2-2.54.3-4.24.1
SUSE Manager Retail Branch Server 4.0 (src):    glib2-2.54.3-4.24.1
SUSE Manager Proxy 4.0 (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise Server for SAP 15 (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise Server 15-LTSS (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    glib2-2.54.3-4.24.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    glib2-2.54.3-4.24.1
SUSE Enterprise Storage 6 (src):    glib2-2.54.3-4.24.1
SUSE CaaS Platform 4.0 (src):    glib2-2.54.3-4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Carlos López 2022-06-10 10:16:00 UTC
Done, closing.