Port your module from g_memdup() to g_memdup2() now

GLib 2.67.3 will be released shortly with a new g_memdup2() API to replace the old g_memdup() API. Please port to using g_memdup2() as soon as possible: g_memdup() will be deprecated in GLib 2.67.4. Take the opportunity to check for arithmetic overflow problems in the code around your call to g_memdup() — simply finding-and-replacing g_memdup() with g_memdup2() may not fix everything.

The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various
modules to cause a heap buffer overflow.

Details here: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1926

GLib 2.66.6 will also be released shortly, which will fix the bug internally in GLib. It will not export g_memdup2() as a new public API though. You’ll need to depend on GLib ≥2.67.3 for that, or copy the
static inline version of g_memdup2() from here.

Sorry for the short notice about this. Due to some oversights, the vulnerability was made public today at the same time as we first heard about it.

Thanks to Kevin Backhouse from GHSL for finding it and providing a detailed report.


For anyone packaging this, 2.66.7 has just been released, which contains a few fixes for regressions introduced by my fixes for this vulnerability in 2.66.6.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.