Описание
A flaw was found in glib-networking. A malicious Transport Layer Security (TLS) server can exploit an out-of-bounds read and invalid free vulnerability when a client using the OpenSSL backend connects. By advertising a specially crafted client-CA list, the server can trigger an issue where memory is accessed outside of its allocated buffer and subsequently freed incorrectly. This can lead to a denial-of-service and potentially disclose limited heap memory.
Отчет
This is a LOW impact vulnerability affecting the OpenSSL backend of the glib-networking library used by GNOME applications. When a client configured to use the OpenSSL backend connects to a malicious TLS server, improper handling of certificate authority data can result in an out-of-bounds heap read and an invalid free condition. Successful exploitation may cause application crashes (denial-of-service) and potentially limited heap memory disclosure. Red Hat products are not affected because the vulnerable OpenSSL backend is not built or shipped in supported configurations; therefore, the overall impact to Red Hat customers is considered Low.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | glib-networking | Not affected | ||
| Red Hat Enterprise Linux 6 | glib-networking | Not affected | ||
| Red Hat Enterprise Linux 7 | glib-networking | Not affected | ||
| Red Hat Enterprise Linux 8 | glib-networking | Not affected | ||
| Red Hat Enterprise Linux 9 | glib-networking | Not affected |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
5.4 Medium
CVSS3