SUSE update for glib2
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-27218 CVE-2021-27219 |
| CWE-ID | CWE-681 CWE-190 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise Workstation Extension Operating systems & Components / Operating system SUSE OpenStack Cloud Crowbar Operating systems & Components / Operating system SUSE Linux Enterprise Software Development Kit Operating systems & Components / Operating system HPE Helion Openstack Operating systems & Components / Operating system SUSE OpenStack Cloud Operating systems & Components / Operating system glib2-devel-static Operating systems & Components / Operating system package or component glib2-devel-debuginfo Operating systems & Components / Operating system package or component glib2-devel Operating systems & Components / Operating system package or component libgio-fam-debuginfo Operating systems & Components / Operating system package or component libgio-fam Operating systems & Components / Operating system package or component glib2-lang Operating systems & Components / Operating system package or component libgthread-2_0-0-debuginfo-32bit Operating systems & Components / Operating system package or component libgthread-2_0-0-debuginfo Operating systems & Components / Operating system package or component libgthread-2_0-0-32bit Operating systems & Components / Operating system package or component libgthread-2_0-0 Operating systems & Components / Operating system package or component libgobject-2_0-0-debuginfo-32bit Operating systems & Components / Operating system package or component libgobject-2_0-0-debuginfo Operating systems & Components / Operating system package or component libgobject-2_0-0-32bit Operating systems & Components / Operating system package or component libgobject-2_0-0 Operating systems & Components / Operating system package or component libgmodule-2_0-0-debuginfo-32bit Operating systems & Components / Operating system package or component libgmodule-2_0-0-debuginfo Operating systems & Components / Operating system package or component libgmodule-2_0-0-32bit Operating systems & Components / Operating system package or component libgmodule-2_0-0 Operating systems & Components / Operating system package or component libglib-2_0-0-debuginfo-32bit Operating systems & Components / Operating system package or component libglib-2_0-0-debuginfo Operating systems & Components / Operating system package or component libglib-2_0-0-32bit Operating systems & Components / Operating system package or component libglib-2_0-0 Operating systems & Components / Operating system package or component libgio-2_0-0-debuginfo-32bit Operating systems & Components / Operating system package or component libgio-2_0-0-debuginfo Operating systems & Components / Operating system package or component libgio-2_0-0-32bit Operating systems & Components / Operating system package or component libgio-2_0-0 Operating systems & Components / Operating system package or component glib2-tools-debuginfo Operating systems & Components / Operating system package or component glib2-tools Operating systems & Components / Operating system package or component glib2-debugsource Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Incorrect Conversion between Numeric Types
EUVDB-ID: #VU51455
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-27218
CWE-ID:
CWE-681 - Incorrect Conversion between Numeric Types
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to incorrect conversion between numeric types in Gnome Glib. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
MitigationUpdate the affected package glib2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE Linux Enterprise Workstation Extension: 12-SP5
SUSE OpenStack Cloud Crowbar: 8 - 9
SUSE Linux Enterprise Software Development Kit: 12-SP5
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
glib2-devel-static: before 2.48.2-12.22.1
glib2-devel-debuginfo: before 2.48.2-12.22.1
glib2-devel: before 2.48.2-12.22.1
libgio-fam-debuginfo: before 2.48.2-12.22.1
libgio-fam: before 2.48.2-12.22.1
glib2-lang: before 2.48.2-12.22.1
libgthread-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgthread-2_0-0-debuginfo: before 2.48.2-12.22.1
libgthread-2_0-0-32bit: before 2.48.2-12.22.1
libgthread-2_0-0: before 2.48.2-12.22.1
libgobject-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgobject-2_0-0-debuginfo: before 2.48.2-12.22.1
libgobject-2_0-0-32bit: before 2.48.2-12.22.1
libgobject-2_0-0: before 2.48.2-12.22.1
libgmodule-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgmodule-2_0-0-debuginfo: before 2.48.2-12.22.1
libgmodule-2_0-0-32bit: before 2.48.2-12.22.1
libgmodule-2_0-0: before 2.48.2-12.22.1
libglib-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libglib-2_0-0-debuginfo: before 2.48.2-12.22.1
libglib-2_0-0-32bit: before 2.48.2-12.22.1
libglib-2_0-0: before 2.48.2-12.22.1
libgio-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgio-2_0-0-debuginfo: before 2.48.2-12.22.1
libgio-2_0-0-32bit: before 2.48.2-12.22.1
libgio-2_0-0: before 2.48.2-12.22.1
glib2-tools-debuginfo: before 2.48.2-12.22.1
glib2-tools: before 2.48.2-12.22.1
glib2-debugsource: before 2.48.2-12.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP3-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:9:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_software_development_kit:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:hpe_helion_openstack:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud:7:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glib2-devel-static:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-devel-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-fam-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-fam:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-lang:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-tools-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-tools:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20210801-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU51456
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-27219
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow within the g_bytes_new() function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. A local user can run a specially crafted program to trigger an integer overflow and execute arbitrary code with elevated privileges.
Update the affected package glib2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE Linux Enterprise Workstation Extension: 12-SP5
SUSE OpenStack Cloud Crowbar: 8 - 9
SUSE Linux Enterprise Software Development Kit: 12-SP5
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
glib2-devel-static: before 2.48.2-12.22.1
glib2-devel-debuginfo: before 2.48.2-12.22.1
glib2-devel: before 2.48.2-12.22.1
libgio-fam-debuginfo: before 2.48.2-12.22.1
libgio-fam: before 2.48.2-12.22.1
glib2-lang: before 2.48.2-12.22.1
libgthread-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgthread-2_0-0-debuginfo: before 2.48.2-12.22.1
libgthread-2_0-0-32bit: before 2.48.2-12.22.1
libgthread-2_0-0: before 2.48.2-12.22.1
libgobject-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgobject-2_0-0-debuginfo: before 2.48.2-12.22.1
libgobject-2_0-0-32bit: before 2.48.2-12.22.1
libgobject-2_0-0: before 2.48.2-12.22.1
libgmodule-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgmodule-2_0-0-debuginfo: before 2.48.2-12.22.1
libgmodule-2_0-0-32bit: before 2.48.2-12.22.1
libgmodule-2_0-0: before 2.48.2-12.22.1
libglib-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libglib-2_0-0-debuginfo: before 2.48.2-12.22.1
libglib-2_0-0-32bit: before 2.48.2-12.22.1
libglib-2_0-0: before 2.48.2-12.22.1
libgio-2_0-0-debuginfo-32bit: before 2.48.2-12.22.1
libgio-2_0-0-debuginfo: before 2.48.2-12.22.1
libgio-2_0-0-32bit: before 2.48.2-12.22.1
libgio-2_0-0: before 2.48.2-12.22.1
glib2-tools-debuginfo: before 2.48.2-12.22.1
glib2-tools: before 2.48.2-12.22.1
glib2-debugsource: before 2.48.2-12.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP3-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:9:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_software_development_kit:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:hpe_helion_openstack:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud:7:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glib2-devel-static:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-devel-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-fam-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-fam:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-lang:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgthread-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgobject-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgmodule-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libglib-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libgio-2_0-0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-tools-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-tools:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glib2-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20210801-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
