GLib 2.67.3 will be released shortly with a new
g_memdup2() API to replace the old
g_memdup() API. Please port to using
g_memdup2() as soon as possible:
g_memdup() will be deprecated in GLib 2.67.4. Take the opportunity to check for arithmetic overflow problems in the code around your call to
g_memdup() — simply finding-and-replacing
g_memdup2() may not fix everything.
The old API took the size of the memory to duplicate as a
guint, whereas most memory functions take memory sizes as a
gsize. This made it easy to accidentally pass a
g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various
modules to cause a heap buffer overflow.
GLib 2.66.6 will also be released shortly, which will fix the bug internally in GLib. It will not export
g_memdup2() as a new public API though. You’ll need to depend on GLib ≥2.67.3 for that, or copy the
static inline version of
g_memdup2() from here.
Sorry for the short notice about this. Due to some oversights, the vulnerability was made public today at the same time as we first heard about it.
Thanks to Kevin Backhouse from GHSL for finding it and providing a detailed report.