From 777b95a88f006d39d9fe6d3321db17e7b0d4b9a4 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 14:07:39 +0000 Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The public API `g_tls_password_set_value_full()` (and the vfunc it invokes) can only accept a `gssize` length. Ensure that nul-terminated strings passed to `g_tls_password_set_value()` can’t exceed that length. Use `g_memdup2()` to avoid an overflow if they’re longer than `G_MAXUINT` similarly. Signed-off-by: Philip Withnall Helps: #2319 Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] CVE: CVE-2021-27219 Signed-off-by: Neetika Singh Signed-off-by: Ranjitsinh Rathod --- gio/gtlspassword.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c index 1e437a7b6..dbcec41a8 100644 --- a/gio/gtlspassword.c +++ b/gio/gtlspassword.c @@ -23,6 +23,7 @@ #include "glibintl.h" #include "gioenumtypes.h" +#include "gstrfuncsprivate.h" #include "gtlspassword.h" #include @@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password, g_return_if_fail (G_IS_TLS_PASSWORD (password)); if (length < 0) - length = strlen ((gchar *)value); + { + /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ + gsize length_unsigned = strlen ((gchar *) value); + g_return_if_fail (length_unsigned > G_MAXSSIZE); + length = (gssize) length_unsigned; + } - g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free); + g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free); } /** -- GitLab