[oCERT-2008-015] glib and glib-predecessor heap overflows

infwonder · **Posted:** Fri Mar 13, 2009 5:56 am

oCERT-2008-015 wrote:

Base64 encoding and decoding functions in glib suffer from
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings. A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.
...
Affected version:

(actively affected)
glib >= 2.11 unstable
glib >= 2.12 stable
gstreamer-plugins-base < 0.10.23

(older versions affected only)
libsoup < 2.2.x
libsoup < 2.24
evolution-data-server < 2.24.5

Fixed version:

glib >= 2.20 (svn revision >= 7973)
gstreamer-plugins-base >= 0.10.23

(Other identified packages are unaffected in current versions.)

More information and patches can be found at:
http://www.ocert.org/advisories/ocert-2008-015.html

We currently have glib 2.19.10, gstreamer-plugins-base 0.10.22, evolution-data-server-2.24.3 in SNAPSHOT, all vulnerable according to the description above.

References:
http://www.securityfocus.com/archive/1/501712

!8!

gapan · **Posted:** Sat Mar 14, 2009 1:06 pm

I have updated evolution-data-server, now in FIFO. But gst-plugins-base 0.10.23 has not been released yet.

infwonder · **Posted:** Mon Mar 16, 2009 5:34 am

Thank you!

There is a git commit for gst-plugins-base that is related to the fixes for this issue (it's listed in oCERT report), maybe we can simply patch the version 0.10.22:

http://cgit.freedesktop.org/gstreamer/g ... 1d427e40a9

(let's still hope that the new version come out soon ... )

infwonder · **Posted:** Tue Mar 17, 2009 12:03 am

Oops! I am so sorry gapan, it looks like there is another vulnerability reported in evolution-data-server 2.24.5 that I didn't notice... So maybe it need to be patched in the near future.

I really should have reported them together ... D!!

viewtopic.php?f=48&t=21724

gapan · **Posted:** Tue Mar 17, 2009 7:25 am

I have evolution-data-server 2.26.0 ready, but it breaks a lot of other packages, so I'll need to bring those to the 2.26 version too before I push it the current. I'll also see what I can do with gstreamer from svn, but it will also need a good round of testing before entering current.

BTW, new glib is already in current.

infwonder · **Posted:** Tue Mar 17, 2009 11:06 am

Hi! Thank you for the fast response to this issue... :-[

According to the openwall ML, it seems that as long as the Evolution-data-server is linked against the latest glib, it should be considered not vulnerable to this problem. So I think maybe (need to be confirmed) it's okay since we already have glib 2.20 in CURRENT. (but of course it's safer to update to 2.26, if applicable)

gst-plugins-base, however, may still need to be updated, since that there might be some old glib source code being included directly in the software.

Reference:
http://permalink.gmane.org/gmane.comp.s ... neral/1559
https://bugs.gentoo.org/show_bug.cgi?id=262555

gapan · **Posted:** Thu Mar 19, 2009 9:10 pm

gst-plugins-base from svn is unusable now, I've tried several revisions and mp3 files would not play with it. So we'll have to wait for an official 0.10.23 release.

gapan · **Posted:** Sun Mar 22, 2009 9:20 am

evolution-data-server 2.26.0 is in current and snapshot repos along with the rest of gnome 2.26.0, so every security issue with it should be resolved.

infwonder · **Posted:** Mon Mar 23, 2009 8:01 am

Thank you! $\!D/$ $\!D/$ $\!D/$

If I understand it correctly, we're still waiting for stable gst-plugin-base 0.10.23 release, is that right?

gapan · **Posted:** Mon Mar 23, 2009 8:42 am

Yes, gst-plugins-base from svn just doesn't work.

[oCERT-2008-015] glib and glib-predecessor heap overflows

Who is online