StarlingX

[Debian] Medium CVE: CVE-2024-34397 glib2.0

Bug #2065130 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Wentao Zhang

Bug Description

CVE-2024-34397: https://nvd.nist.gov/vuln/detail/CVE-2024-34397

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

Base Score: Medium

Reference:

['libglib2.0-0_2.66.8-1+deb11u1_amd64.deb===>libglib2.0-0_2.66.8-1+deb11u2_amd64.deb', 'libglib2.0-dev_2.66.8-1+deb11u1_amd64.deb===>libglib2.0-dev_2.66.8-1+deb11u2_amd64.deb', 'libglib2.0-bin_2.66.8-1+deb11u1_amd64.deb===>libglib2.0-bin_2.66.8-1+deb11u2_amd64.deb', 'libglib2.0-dev-bin_2.66.8-1+deb11u1_amd64.deb===>libglib2.0-dev-bin_2.66.8-1+deb11u2_amd64.deb']
https://security-tracker.debian.org/tracker/DSA-5682-1

CVE References

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/918960

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/918960
Committed: https://opendev.org/starlingx/tools/commit/492001473719ded99aa5bc32ff4694d41aeb4a77
Submitter: "Zuul (22348)"
Branch: master

commit 492001473719ded99aa5bc32ff4694d41aeb4a77
Author: STX Builder <email address hidden>
Date: Thu May 9 10:05:55 2024 +0000

    Debian: glib2.0 : CVE-2024-34397

    Upgrade libglib2.0-0 to 2.66.8-1+deb11u3
    Upgrade libglib2.0-dev to 2.66.8-1+deb11u3
    Upgrade libglib2.0-bin to 2.66.8-1+deb11u3
    Upgrade libglib2.0-dev-bin to 2.66.8-1+deb11u3

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2024-34397

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2065130

    Change-Id: I5916849873036a57a2a72e2bbdd7e6528ba5b7b2
    Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.