StarlingX

[Debian] High CVE: CVE-2023-29499/CVE-2023-32611/CVE-2023-32665 glib2.0 : multiple CVEs

Bug #2052924 reported by Yue Tao on 2024-02-12

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Wentao Zhang

Bug Description

CVE-2023-29499: https://nvd.nist.gov/vuln/detail/CVE-2023-29499

A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.

CVE-2023-32611: https://nvd.nist.gov/vuln/detail/CVE-2023-32611

A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.

CVE-2023-32665: https://nvd.nist.gov/vuln/detail/CVE-2023-32665

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Base Score: High

Reference:

['libglib2.0-0_2.66.8-1_amd64.deb===>libglib2.0-0_2.66.8-1+deb11u1_amd64.deb']

Tags:

CVE References

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-27: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/910295

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-29: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/910295
Committed: https://opendev.org/starlingx/tools/commit/874990dca80b9a79559f6257ef90685cd6e552b1
Submitter: "Zuul (22348)"
Branch: master

commit 874990dca80b9a79559f6257ef90685cd6e552b1
Author: Wentao Zhang <email address hidden>
Date: Tue Feb 27 11:16:15 2024 +0800

Debian: glib2.0 : fix CVE-2023-29499/CVE-2023-32611/CVE-2023-32665

    Upgrade libglib2.0-0 to 2.66.8-1+deb11u1
    Upgrade libglib2.0-dev to 2.66.8-1+deb11u1
    Upgrade libglib2.0-bin to 2.66.8-1+deb11u1
    Upgrade libglib2.0-dev-bin to 2.66.8-1+deb11u1

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2023-29499
    https://nvd.nist.gov/vuln/detail/CVE-2023-32611
    https://nvd.nist.gov/vuln/detail/CVE-2023-32665

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

Closes-bug: #2052924

Change-Id: I2531757a643b3b443de392e30983378341d5b581
Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2024-04-01

Changed in starlingx:
assignee:	nobody → Wentao Zhang (wzhang4)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.