Ubuntu update for glib2.0
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2023-24593 CVE-2023-25180 CVE-2023-29499 CVE-2023-32611 CVE-2023-32636 CVE-2023-32643 CVE-2023-32665 |
| CWE-ID | CWE-20 CWE-400 CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system libglib2.0-bin (Ubuntu package) Operating systems & Components / Operating system package or component libglib2.0-0 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU75361
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-24593
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling a text-form variant. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU75362
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-25180
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling a serialised variant. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU77351
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-29499
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU77350
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32611
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the g_variant_byteswap() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU77348
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32636
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted GVariants to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU77352
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-32643
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the g_variant_serialised_get_child() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Resource exhaustion
EUVDB-ID: #VU77349
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32665
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glib2.0 to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 22.10
libglib2.0-bin (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
libglib2.0-0 (Ubuntu package): before 2.64.6-1~ubuntu20.04.6
CPE2.3- cpe:2.3:o:canonical:libglib2.0-bin_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libglib2.0-0_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6165-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
