Multiple fixes for GVariant normalisation issues in GLib

A number of related security fixes for how non-normal GVariants are handled have just landed in GLib:

Distros will want to cherry-pick these changes into their GLib packages ASAP. The fixes cover various issues encountered by calling g_variant_get_normal_form() on untrusted arrays and tuples.

As per GLib’s support policy, the fixes have not been backported to glib-2-72 or earlier. If distros wish to coordinate on backports to such older branches, please get in touch.

1 Like

Couple notes:

Note many distros won’t consider backporting these unless CVEs are assigned.

Also note there will be no fixes for the GNOME 42 runtime unless there is an upstream release, as we do not do security backports. (That’s probably OK in this case, because it’s hard to imagine these issues being a problem for Flatpak apps, but I mention it because of the odd disconnect between GLib maintaining only one stable branch at a time while GNOME maintains two branches at a time.)

If this is urgent, why not make a release now?

Releases are happening on main and stable branches in the next 8 days, and distro maintainers typically cherry pick these kinds of changes anyway aiui.

I would say that the issue is urgent for anyone running a service that accepts untrusted GVariants as input. Notably, D-Bus is not affected, so services on your desktop are probably fine. But I know of at least one downstream server service that operates by receiving GVariants from clients. These vulnerabilities allow the client to DoS the server: you can craft a malicious small GVariant that the server will normalize into a huge GVariant. I guess I would call this “payload amplification” because it attacks server resources, not network bandwidth. In such environments, this issue is pretty bad.

Um, the other way around works too: you could theoretically have a server sending GVariants to clients just the same.

Two more fixes have just landed in GLib main and glib-2-74, and the 2.75.1 (unstable) and 2.74.4 (stable) releases have just been made.

The two new fixes are for bugs found by oss-fuzz after the original fixes (above) landed. One of them is a heap buffer overflow which was introduced by one of the previous fixes, so it is important that these new fixes are applied if your distribution has backported the previous fixes. Shipping 2.74.4 or 2.75.1 will be sufficient.

The new fixes are:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.