[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1103051: marked as done (bookworm-pu: package glib2.0/2.74.6-2+deb12u6)



Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <E1uGDzR-005KGt-Ik@coccia.debian.org>
and subject line Close 1103051
has caused the Debian Bug report #1103051,
regarding bookworm-pu: package glib2.0/2.74.6-2+deb12u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1103051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103051
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>

  * CVE-2025-3360: Integer overflow in g_date_time_new_from_iso8601()
diffstat for glib2.0-2.74.6 glib2.0-2.74.6

 changelog                                                               |    7 
 patches/0001-gdatetime-Fix-integer-overflow-when-parsing-very-lon.patch |   55 +++++++
 patches/0002-gdatetime-Fix-potential-integer-overflow-in-timezone.patch |   51 ++++++
 patches/0003-gdatetime-Track-timezone-length-as-an-unsigned-size_.patch |   35 ++++
 patches/0004-gdatetime-Factor-out-some-string-pointer-arithmetic.patch  |   75 ++++++++++
 patches/0005-gdatetime-Factor-out-an-undersized-variable.patch          |   56 +++++++
 patches/series                                                          |    5 
 7 files changed, 284 insertions(+)

diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog	2024-11-14 11:42:34.000000000 +0200
+++ glib2.0-2.74.6/debian/changelog	2025-04-12 16:52:16.000000000 +0300
@@ -1,3 +1,10 @@
+glib2.0 (2.74.6-2+deb12u6) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-3360: Integer overflow in g_date_time_new_from_iso8601()
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 12 Apr 2025 16:52:16 +0300
+
 glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
 
   * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch:
diff -Nru glib2.0-2.74.6/debian/patches/0001-gdatetime-Fix-integer-overflow-when-parsing-very-lon.patch glib2.0-2.74.6/debian/patches/0001-gdatetime-Fix-integer-overflow-when-parsing-very-lon.patch
--- glib2.0-2.74.6/debian/patches/0001-gdatetime-Fix-integer-overflow-when-parsing-very-lon.patch	1970-01-01 02:00:00.000000000 +0200
+++ glib2.0-2.74.6/debian/patches/0001-gdatetime-Fix-integer-overflow-when-parsing-very-lon.patch	2025-04-12 16:51:53.000000000 +0300
@@ -0,0 +1,55 @@
+From ea9e2896ce894e660cfe5c9bef6f17c3e9ad56f0 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:44:58 +0000
+Subject: gdatetime: Fix integer overflow when parsing very long ISO8601 inputs
+
+This will only happen with invalid (or maliciously invalid) potential
+ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust
+against that.
+
+Prevent `length` overflowing by correctly defining it as a `size_t`.
+Similarly for `date_length`, but additionally track its validity in a
+boolean rather than as its sign.
+
+Spotted by chamalsl as #YWH-PGM9867-43.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+---
+ glib/gdatetime.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index a9c472e55..92a313418 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1497,7 +1497,8 @@ parse_iso8601_time (const gchar *text, gsize length,
+ GDateTime *
+ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ {
+-  gint length, date_length = -1;
++  size_t length, date_length = 0;
++  gboolean date_length_set = FALSE;
+   gint hour = 0, minute = 0;
+   gdouble seconds = 0.0;
+   GTimeZone *tz = NULL;
+@@ -1508,11 +1509,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+   /* Count length of string and find date / time separator ('T', 't', or ' ') */
+   for (length = 0; text[length] != '\0'; length++)
+     {
+-      if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
+-        date_length = length;
++      if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
++        {
++          date_length = length;
++          date_length_set = TRUE;
++        }
+     }
+ 
+-  if (date_length < 0)
++  if (!date_length_set)
+     return NULL;
+ 
+   if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),
+-- 
+2.30.2
+
diff -Nru glib2.0-2.74.6/debian/patches/0002-gdatetime-Fix-potential-integer-overflow-in-timezone.patch glib2.0-2.74.6/debian/patches/0002-gdatetime-Fix-potential-integer-overflow-in-timezone.patch
--- glib2.0-2.74.6/debian/patches/0002-gdatetime-Fix-potential-integer-overflow-in-timezone.patch	1970-01-01 02:00:00.000000000 +0200
+++ glib2.0-2.74.6/debian/patches/0002-gdatetime-Fix-potential-integer-overflow-in-timezone.patch	2025-04-12 16:51:53.000000000 +0300
@@ -0,0 +1,51 @@
+From 4b9f757cc261c0163ffaaad69b73826604f2360a Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:51:36 +0000
+Subject: gdatetime: Fix potential integer overflow in timezone offset handling
+
+This one is much harder to trigger than the one in the previous commit,
+but mixing `gssize` and `gsize` always runs the risk of the former
+overflowing for very (very very) long input strings.
+
+Avoid that possibility by not using the sign of the `tz_offset` to
+indicate its validity, and instead using the return value of the
+function.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+---
+ glib/gdatetime.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 92a313418..5c4ad461d 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1346,8 +1346,10 @@ parse_iso8601_date (const gchar *text, gsize length,
+     return FALSE;
+ }
+ 
++/* Value returned in tz_offset is valid if and only if the function return value
++ * is non-NULL. */
+ static GTimeZone *
+-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
++parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+   gint i, tz_length, offset_hours, offset_minutes;
+   gint offset_sign = 1;
+@@ -1415,11 +1417,11 @@ static gboolean
+ parse_iso8601_time (const gchar *text, gsize length,
+                     gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz)
+ {
+-  gssize tz_offset = -1;
++  size_t tz_offset = 0;
+ 
+   /* Check for timezone suffix */
+   *tz = parse_iso8601_timezone (text, length, &tz_offset);
+-  if (tz_offset >= 0)
++  if (*tz != NULL)
+     length = tz_offset;
+ 
+   /* hh:mm:ss(.sss) */
+-- 
+2.30.2
+
diff -Nru glib2.0-2.74.6/debian/patches/0003-gdatetime-Track-timezone-length-as-an-unsigned-size_.patch glib2.0-2.74.6/debian/patches/0003-gdatetime-Track-timezone-length-as-an-unsigned-size_.patch
--- glib2.0-2.74.6/debian/patches/0003-gdatetime-Track-timezone-length-as-an-unsigned-size_.patch	1970-01-01 02:00:00.000000000 +0200
+++ glib2.0-2.74.6/debian/patches/0003-gdatetime-Track-timezone-length-as-an-unsigned-size_.patch	2025-04-12 16:51:53.000000000 +0300
@@ -0,0 +1,35 @@
+From 495713b68813a76e31dd34c3592ddfd269c6def0 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:55:18 +0000
+Subject: gdatetime: Track timezone length as an unsigned size_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It’s guaranteed to be in (0, length] by the calculations above.
+
+This avoids the possibility of integer overflow through `gssize` not
+being as big as `size_t`.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+---
+ glib/gdatetime.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 5c4ad461d..72b8d04c6 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1351,7 +1351,8 @@ parse_iso8601_date (const gchar *text, gsize length,
+ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+-  gint i, tz_length, offset_hours, offset_minutes;
++  size_t tz_length;
++  gint i, offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
+ 
+-- 
+2.30.2
+
diff -Nru glib2.0-2.74.6/debian/patches/0004-gdatetime-Factor-out-some-string-pointer-arithmetic.patch glib2.0-2.74.6/debian/patches/0004-gdatetime-Factor-out-some-string-pointer-arithmetic.patch
--- glib2.0-2.74.6/debian/patches/0004-gdatetime-Factor-out-some-string-pointer-arithmetic.patch	1970-01-01 02:00:00.000000000 +0200
+++ glib2.0-2.74.6/debian/patches/0004-gdatetime-Factor-out-some-string-pointer-arithmetic.patch	2025-04-12 16:51:53.000000000 +0300
@@ -0,0 +1,75 @@
+From e24ecac8065522917be689ecc498061bd1bb36c9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:07:24 +0000
+Subject: gdatetime: Factor out some string pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Makes the following code a little clearer, but doesn’t introduce any
+functional changes.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+---
+ glib/gdatetime.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 72b8d04c6..2710e56fd 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1355,6 +1355,7 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+   gint i, offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
++  const char *tz_start;
+ 
+   /* UTC uses Z suffix  */
+   if (length > 0 && text[length - 1] == 'Z')
+@@ -1372,34 +1373,35 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+       }
+   if (i < 0)
+     return NULL;
++  tz_start = text + i;
+   tz_length = length - i;
+ 
+   /* +hh:mm or -hh:mm */
+-  if (tz_length == 6 && text[i+3] == ':')
++  if (tz_length == 6 && tz_start[3] == ':')
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+-          !get_iso8601_int (text + i + 4, 2, &offset_minutes))
++      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++          !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
+         return NULL;
+     }
+   /* +hhmm or -hhmm */
+   else if (tz_length == 5)
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+-          !get_iso8601_int (text + i + 3, 2, &offset_minutes))
++      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++          !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
+         return NULL;
+     }
+   /* +hh or -hh */
+   else if (tz_length == 3)
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
++      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
+         return NULL;
+       offset_minutes = 0;
+     }
+   else
+     return NULL;
+ 
+-  *tz_offset = i;
+-  tz = g_time_zone_new_identifier (text + i);
++  *tz_offset = tz_start - text;
++  tz = g_time_zone_new_identifier (tz_start);
+ 
+   /* Double-check that the GTimeZone matches our interpretation of the timezone.
+    * This can fail because our interpretation is less strict than (for example)
+-- 
+2.30.2
+
diff -Nru glib2.0-2.74.6/debian/patches/0005-gdatetime-Factor-out-an-undersized-variable.patch glib2.0-2.74.6/debian/patches/0005-gdatetime-Factor-out-an-undersized-variable.patch
--- glib2.0-2.74.6/debian/patches/0005-gdatetime-Factor-out-an-undersized-variable.patch	1970-01-01 02:00:00.000000000 +0200
+++ glib2.0-2.74.6/debian/patches/0005-gdatetime-Factor-out-an-undersized-variable.patch	2025-04-12 16:51:53.000000000 +0300
@@ -0,0 +1,56 @@
+From df5cfea3236ec479807353563abe00ddaa7c9dd8 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:28:33 +0000
+Subject: gdatetime: Factor out an undersized variable
+
+For long input strings, it would have been possible for `i` to overflow.
+Avoid that problem by using the `tz_length` instead, so that we count up
+rather than down.
+
+This commit introduces no functional changes (outside of changing
+undefined behaviour), and can be verified using the identity
+`i === length - tz_length`.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+---
+ glib/gdatetime.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 2710e56fd..5f6b9f752 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1352,7 +1352,7 @@ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+   size_t tz_length;
+-  gint i, offset_hours, offset_minutes;
++  gint offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
+   const char *tz_start;
+@@ -1365,16 +1365,15 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+     }
+ 
+   /* Look for '+' or '-' of offset */
+-  for (i = length - 1; i >= 0; i--)
+-    if (text[i] == '+' || text[i] == '-')
++  for (tz_length = 1; tz_length <= length; tz_length++)
++    if (text[length - tz_length] == '+' || text[length - tz_length] == '-')
+       {
+-        offset_sign = text[i] == '-' ? -1 : 1;
++        offset_sign = text[length - tz_length] == '-' ? -1 : 1;
+         break;
+       }
+-  if (i < 0)
++  if (tz_length > length)
+     return NULL;
+-  tz_start = text + i;
+-  tz_length = length - i;
++  tz_start = text + length - tz_length;
+ 
+   /* +hh:mm or -hh:mm */
+   if (tz_length == 6 && tz_start[3] == ':')
+-- 
+2.30.2
+
diff -Nru glib2.0-2.74.6/debian/patches/series glib2.0-2.74.6/debian/patches/series
--- glib2.0-2.74.6/debian/patches/series	2024-11-14 11:42:34.000000000 +0200
+++ glib2.0-2.74.6/debian/patches/series	2025-04-12 16:52:16.000000000 +0300
@@ -44,3 +44,8 @@
 CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
 gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
 gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
+0001-gdatetime-Fix-integer-overflow-when-parsing-very-lon.patch
+0002-gdatetime-Fix-potential-integer-overflow-in-timezone.patch
+0003-gdatetime-Track-timezone-length-as-an-unsigned-size_.patch
+0004-gdatetime-Factor-out-some-string-pointer-arithmetic.patch
+0005-gdatetime-Factor-out-an-undersized-variable.patch

--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---

Reply to: