Bug 1209713 (CVE-2023-25180) - VUL-0: CVE-2023-25180: glib2: DoS caused by malicious serialised variant
Summary: VUL-0: CVE-2023-25180: glib2: DoS caused by malicious serialised variant
Status: RESOLVED FIXED
Alias: CVE-2023-25180
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/361017/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-25180:6.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-24 16:02 UTC by Gabriele Sonnu
Modified: 2024-06-26 21:00 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2023-03-24 16:02:03 UTC 
A vulnerability was found in GLib2.0, where denial of service caused by handling a malicious serialised variant which is structured to cause allocations or looping superlinear to its serialised size. Applications are at risk if they accept untrusted serialised variants by checking them with g_variant_get_normal_form() (or don’t check them).

References:
https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25180
https://bugzilla.redhat.com/show_bug.cgi?id=2181182
Comment 1 Yifan Jiang 2023-03-27 01:31:47 UTC 
Hi Alynx, can you please help on this please. I would target on the following maintenance project:

  SLE-12-SP2:Update
  SLE-15-SP2:Update
  SLE-15-SP4:Update

@Gabriele, can you please correct if the specify the target builds need to tune. Thanks.
Comment 2 Gabriele Sonnu 2023-03-27 07:11:12 UTC 
Tracking as affected:

- SUSE:SLE-15:Update/glib2
- SUSE:SLE-12-SP2:Update/glib2
- SUSE:SLE-15-SP2:Update/glib2
- SUSE:SLE-15-SP4:Update/glib2

SUSE:SLE-15:Update/glib2 update is not required, since it's LTSS-only and CVSS score is < 7.
Not sure about SUSE:SLE-11-SP1:Update/glib2, could you have a look?
Comment 4 Alynx Zhou 2023-04-03 10:08:23 UTC 
SRs are accepted now.
Comment 5 Gabriele Sonnu 2023-04-03 10:11:31 UTC 
Hi Alynx, did you check SUSE:SLE-11-SP1:Update/glib2? Is it affected?
Comment 6 Alynx Zhou 2023-04-03 10:12:17 UTC 
(In reply to Gabriele Sonnu from comment #5)
> Hi Alynx, did you check SUSE:SLE-11-SP1:Update/glib2? Is it affected?

Let me check it now
Comment 7 Alynx Zhou 2023-04-03 10:17:15 UTC 
(In reply to Gabriele Sonnu from comment #5)
> Hi Alynx, did you check SUSE:SLE-11-SP1:Update/glib2? Is it affected?

We have GLib 2.22 in SLE-11-SP1:Update, and g_variant_get_normal_form() is added since 2.24, so it should be not affected.
Comment 8 Gabriele Sonnu 2023-04-03 11:47:02 UTC 
(In reply to Alynx Zhou from comment #7)
> (In reply to Gabriele Sonnu from comment #5)
> > Hi Alynx, did you check SUSE:SLE-11-SP1:Update/glib2? Is it affected?
> 
> We have GLib 2.22 in SLE-11-SP1:Update, and g_variant_get_normal_form() is
> added since 2.24, so it should be not affected.

Thanks a lot, I've updated our tracking.
Comment 9 Maintenance Automation 2023-04-19 12:30:06 UTC 
SUSE-SU-2023:1910-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209713, 1209714
CVE References: CVE-2023-24593, CVE-2023-25180
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): glib2-2.48.2-12.31.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): glib2-2.48.2-12.31.1
SUSE Linux Enterprise Server 12 SP5 (src): glib2-2.48.2-12.31.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): glib2-2.48.2-12.31.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): glib2-2.48.2-12.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-04-27 16:30:01 UTC 
SUSE-SU-2023:2060-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1209713, 1209714, 1210135
CVE References: CVE-2023-24593, CVE-2023-25180
Sources used:
openSUSE Leap Micro 5.3 (src): glib2-2.70.5-150400.3.8.1
openSUSE Leap 15.4 (src): glib2-2.70.5-150400.3.8.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): glib2-2.70.5-150400.3.8.1
SUSE Linux Enterprise Micro 5.3 (src): glib2-2.70.5-150400.3.8.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): glib2-2.70.5-150400.3.8.1
SUSE Linux Enterprise Micro 5.4 (src): glib2-2.70.5-150400.3.8.1
Basesystem Module 15-SP4 (src): glib2-2.70.5-150400.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-04-28 16:30:02 UTC 
SUSE-SU-2023:2076-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1209713, 1209714, 1210135
CVE References: CVE-2023-24593, CVE-2023-25180
Sources used:
openSUSE Leap 15.4 (src): glib2-2.62.6-150200.3.15.1
SUSE Linux Enterprise Real Time 15 SP3 (src): glib2-2.62.6-150200.3.15.1
SUSE Linux Enterprise Micro 5.1 (src): glib2-2.62.6-150200.3.15.1
SUSE Linux Enterprise Micro 5.2 (src): glib2-2.62.6-150200.3.15.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): glib2-2.62.6-150200.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.