openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-23 14:34:32 +04:00
Code Issues Packages Projects Releases Wiki Activity
Files
ac9eddc49f1f29f7798c89bffd523d014780ff08
packages/libs/glib2/patches/100-CVE-2024-34397-gdbusmessage-Cache-the-arg0-value.patch
Petr Štetiar 3932357ffb glib2: update to 2.74.7 to fix several CVEs 
Bump glib2 to 2.74.7 which fixes CVE-2023-29499, CVE-2023-32611,
CVE-2023-32636, CVE-2023-32643, CVE-2023-32665 and on top of that
backport CVE-2024-34397 fix from Debian Bookworm glib2 package
2.74.6-2+deb12u2. While at it refresh the patches so they apply cleanly.

References: https://security-tracker.debian.org/tracker/source-package/glib2.0
Fixes: CVE-2023-29499, CVE-2023-32611, CVE-2023-32636, CVE-2023-32643, CVE-2023-32665, CVE-2024-34397
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2024-09-05 13:27:51 +02:00

121 lines
4.4 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 28 Nov 2023 12:58:20 +0000
Subject: gdbusmessage: Cache the arg0 value
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Technically we cant rely on it being kept alive by the `message->body`
pointer, unless we can guarantee that the `GVariant` is always
serialised. Thats not necessarily the case, so keep a separate ref on
the arg0 value at all times.
This avoids a potential use-after-free.
Spotted by Thomas Haller in
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3720#note_1924707.
[This is a prerequisite for having tests pass after fixing the
vulnerability described in glib#3268, because after fixing that
vulnerability, the use-after-free genuinely does happen during
regression testing. -smcv]
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: #3183, #3268
(cherry picked from commit 10e9a917be7fb92b6b27837ef7a7f1d0be6095d5)
Origin: upstream, commit:https://gitlab.gnome.org/GNOME/glib/-/commit/10e9a917be7fb92b6b27837ef7a7f1d0be6095d5
---
gio/gdbusmessage.c | 35 ++++++++++++++++++++++-------------
1 file changed, 22 insertions(+), 13 deletions(-)
--- a/gio/gdbusmessage.c
+++ b/gio/gdbusmessage.c
@@ -508,6 +508,7 @@ struct _GDBusMessage
guint32 serial;
GHashTable *headers;
GVariant *body;
+ GVariant *arg0_cache; /* (nullable) (owned) */
#ifdef G_OS_UNIX
GUnixFDList *fd_list;
#endif
@@ -530,6 +531,7 @@ g_dbus_message_finalize (GObject *object
g_hash_table_unref (message->headers);
if (message->body != NULL)
g_variant_unref (message->body);
+ g_clear_pointer (&message->arg0_cache, g_variant_unref);
#ifdef G_OS_UNIX
if (message->fd_list != NULL)
g_object_unref (message->fd_list);
@@ -1165,6 +1167,7 @@ g_dbus_message_set_body (GDBusMessage *
if (body == NULL)
{
message->body = NULL;
+ message->arg0_cache = NULL;
g_dbus_message_set_signature (message, NULL);
}
else
@@ -1175,6 +1178,12 @@ g_dbus_message_set_body (GDBusMessage *
message->body = g_variant_ref_sink (body);
+ if (g_variant_is_of_type (message->body, G_VARIANT_TYPE_TUPLE) &&
+ g_variant_n_children (message->body) > 0)
+ message->arg0_cache = g_variant_get_child_value (message->body, 0);
+ else
+ message->arg0_cache = NULL;
+
type_string = g_variant_get_type_string (body);
type_string_len = strlen (type_string);
g_assert (type_string_len >= 2);
@@ -2327,6 +2336,14 @@ g_dbus_message_new_from_blob (guchar
2,
&local_error);
g_variant_type_free (variant_type);
+
+ if (message->body != NULL &&
+ g_variant_is_of_type (message->body, G_VARIANT_TYPE_TUPLE) &&
+ g_variant_n_children (message->body) > 0)
+ message->arg0_cache = g_variant_get_child_value (message->body, 0);
+ else
+ message->arg0_cache = NULL;
+
if (message->body == NULL)
goto fail;
}
@@ -3366,22 +3383,13 @@ g_dbus_message_set_signature (GDBusMessa
const gchar *
g_dbus_message_get_arg0 (GDBusMessage *message)
{
- const gchar *ret;
-
g_return_val_if_fail (G_IS_DBUS_MESSAGE (message), NULL);
- ret = NULL;
+ if (message->arg0_cache != NULL &&
+ g_variant_is_of_type (message->arg0_cache, G_VARIANT_TYPE_STRING))
+ return g_variant_get_string (message->arg0_cache, NULL);
- if (message->body != NULL && g_variant_is_of_type (message->body, G_VARIANT_TYPE_TUPLE))
- {
- GVariant *item;
- item = g_variant_get_child_value (message->body, 0);
- if (g_variant_is_of_type (item, G_VARIANT_TYPE_STRING))
- ret = g_variant_get_string (item, NULL);
- g_variant_unref (item);
- }
-
- return ret;
+ return NULL;
}
/* ---------------------------------------------------------------------------------------------------- */
@@ -3824,6 +3832,7 @@ g_dbus_message_copy (GDBusMessage *mess
* to just ref (as opposed to deep-copying) the GVariant instances
*/
ret->body = message->body != NULL ? g_variant_ref (message->body) : NULL;
+ ret->arg0_cache = message->arg0_cache != NULL ? g_variant_ref (message->arg0_cache) : NULL;
g_hash_table_iter_init (&iter, message->headers);
while (g_hash_table_iter_next (&iter, &header_key, (gpointer) &header_value))
g_hash_table_insert (ret->headers, header_key, g_variant_ref (header_value));
Reference in New Issue View Git Blame Copy Permalink