Описание
Security update for glib2
This update for glib2 fixes the following issues:
- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533)
- CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945)
- CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946)
- CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947)
- CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948)
- CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951)
Список пакетов
Container caasp/v4/cilium-operator:1.6.6
Container caasp/v4/cilium:1.6.6
Container suse/sle15:15.1
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
SUSE Enterprise Storage 6
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP1
Ссылки
- Link for SUSE-SU-2023:3535-1
- E-Mail link for SUSE-SU-2023:3535-1
- SUSE Security Ratings
- SUSE Bug 1183533
- SUSE Bug 1211945
- SUSE Bug 1211946
- SUSE Bug 1211947
- SUSE Bug 1211948
- SUSE Bug 1211951
- SUSE CVE CVE-2021-28153 page
- SUSE CVE CVE-2023-29499 page
- SUSE CVE CVE-2023-32611 page
- SUSE CVE CVE-2023-32636 page
- SUSE CVE CVE-2023-32643 page
- SUSE CVE CVE-2023-32665 page
Описание
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
Затронутые продукты
Ссылки
- CVE-2021-28153
- SUSE Bug 1183533
Описание
A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
Затронутые продукты
Ссылки
- CVE-2023-29499
- SUSE Bug 1211947
- SUSE Bug 1211948
Описание
A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
Затронутые продукты
Ссылки
- CVE-2023-32611
- SUSE Bug 1211951
Описание
A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
Затронутые продукты
Ссылки
- CVE-2023-32636
- SUSE Bug 1211948
Описание
A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.
Затронутые продукты
Ссылки
- CVE-2023-32643
- SUSE Bug 1211946
Описание
A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
Затронутые продукты
Ссылки
- CVE-2023-32665
- SUSE Bug 1211945
- SUSE Bug 1211946