SUSE update for glib2

Published: 2023-09-05

Risk	High
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2021-28153 CVE-2023-29499 CVE-2023-32611 CVE-2023-32636 CVE-2023-32643 CVE-2023-32665
CWE-ID	CWE-61 CWE-20 CWE-400 CWE-122
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP1 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE CaaS Platform Operating systems & Components / Operating system libgobject-2_0-0-32bit-debuginfo Operating systems & Components / Operating system package or component libglib-2_0-0-32bit-debuginfo Operating systems & Components / Operating system package or component libgio-2_0-0-32bit Operating systems & Components / Operating system package or component libgmodule-2_0-0-32bit Operating systems & Components / Operating system package or component libgio-2_0-0-32bit-debuginfo Operating systems & Components / Operating system package or component libgobject-2_0-0-32bit Operating systems & Components / Operating system package or component libgmodule-2_0-0-32bit-debuginfo Operating systems & Components / Operating system package or component libglib-2_0-0-32bit Operating systems & Components / Operating system package or component glib2-lang Operating systems & Components / Operating system package or component glib2-tools-debuginfo Operating systems & Components / Operating system package or component libgio-2_0-0-debuginfo Operating systems & Components / Operating system package or component libglib-2_0-0-debuginfo Operating systems & Components / Operating system package or component glib2-debugsource Operating systems & Components / Operating system package or component libgthread-2_0-0-debuginfo Operating systems & Components / Operating system package or component libgobject-2_0-0-debuginfo Operating systems & Components / Operating system package or component libgobject-2_0-0 Operating systems & Components / Operating system package or component libgmodule-2_0-0-debuginfo Operating systems & Components / Operating system package or component glib2-devel Operating systems & Components / Operating system package or component glib2-tools Operating systems & Components / Operating system package or component glib2-devel-debuginfo Operating systems & Components / Operating system package or component libgmodule-2_0-0 Operating systems & Components / Operating system package or component libgio-2_0-0 Operating systems & Components / Operating system package or component libglib-2_0-0 Operating systems & Components / Operating system package or component libgthread-2_0-0 Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) UNIX symbolic link following

EUVDB-ID: #VU51454

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-28153

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue, when g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.

Mitigation

Update the affected package glib2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise Server 15: SP1

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

libgobject-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit: before 2.54.3-150000.4.29.1

glib2-lang: before 2.54.3-150000.4.29.1

glib2-tools-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-debugsource: before 2.54.3-150000.4.29.1

libgthread-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-devel: before 2.54.3-150000.4.29.1

glib2-tools: before 2.54.3-150000.4.29.1

glib2-devel-debuginfo: before 2.54.3-150000.4.29.1

libgmodule-2_0-0: before 2.54.3-150000.4.29.1

libgio-2_0-0: before 2.54.3-150000.4.29.1

libglib-2_0-0: before 2.54.3-150000.4.29.1

libgthread-2_0-0: before 2.54.3-150000.4.29.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233535-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU77351

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29499

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package glib2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise Server 15: SP1

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

libgobject-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit: before 2.54.3-150000.4.29.1

glib2-lang: before 2.54.3-150000.4.29.1

glib2-tools-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-debugsource: before 2.54.3-150000.4.29.1

libgthread-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-devel: before 2.54.3-150000.4.29.1

glib2-tools: before 2.54.3-150000.4.29.1

glib2-devel-debuginfo: before 2.54.3-150000.4.29.1

libgmodule-2_0-0: before 2.54.3-150000.4.29.1

libgio-2_0-0: before 2.54.3-150000.4.29.1

libglib-2_0-0: before 2.54.3-150000.4.29.1

libgthread-2_0-0: before 2.54.3-150000.4.29.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233535-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource exhaustion

EUVDB-ID: #VU77350

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32611

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the g_variant_byteswap() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package glib2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise Server 15: SP1

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

libgobject-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit: before 2.54.3-150000.4.29.1

glib2-lang: before 2.54.3-150000.4.29.1

glib2-tools-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-debugsource: before 2.54.3-150000.4.29.1

libgthread-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-devel: before 2.54.3-150000.4.29.1

glib2-tools: before 2.54.3-150000.4.29.1

glib2-devel-debuginfo: before 2.54.3-150000.4.29.1

libgmodule-2_0-0: before 2.54.3-150000.4.29.1

libgio-2_0-0: before 2.54.3-150000.4.29.1

libglib-2_0-0: before 2.54.3-150000.4.29.1

libgthread-2_0-0: before 2.54.3-150000.4.29.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233535-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU77348

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32636

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted GVariants to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package glib2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise Server 15: SP1

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

libgobject-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit: before 2.54.3-150000.4.29.1

glib2-lang: before 2.54.3-150000.4.29.1

glib2-tools-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-debugsource: before 2.54.3-150000.4.29.1

libgthread-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-devel: before 2.54.3-150000.4.29.1

glib2-tools: before 2.54.3-150000.4.29.1

glib2-devel-debuginfo: before 2.54.3-150000.4.29.1

libgmodule-2_0-0: before 2.54.3-150000.4.29.1

libgio-2_0-0: before 2.54.3-150000.4.29.1

libglib-2_0-0: before 2.54.3-150000.4.29.1

libgthread-2_0-0: before 2.54.3-150000.4.29.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233535-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Heap-based buffer overflow

EUVDB-ID: #VU77352

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-32643

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the g_variant_serialised_get_child() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package glib2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise Server 15: SP1

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

libgobject-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit: before 2.54.3-150000.4.29.1

glib2-lang: before 2.54.3-150000.4.29.1

glib2-tools-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-debugsource: before 2.54.3-150000.4.29.1

libgthread-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-devel: before 2.54.3-150000.4.29.1

glib2-tools: before 2.54.3-150000.4.29.1

glib2-devel-debuginfo: before 2.54.3-150000.4.29.1

libgmodule-2_0-0: before 2.54.3-150000.4.29.1

libgio-2_0-0: before 2.54.3-150000.4.29.1

libglib-2_0-0: before 2.54.3-150000.4.29.1

libgthread-2_0-0: before 2.54.3-150000.4.29.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233535-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource exhaustion

EUVDB-ID: #VU77349

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32665

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package glib2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise Server 15: SP1

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

libgobject-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgio-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-32bit: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-32bit-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-32bit: before 2.54.3-150000.4.29.1

glib2-lang: before 2.54.3-150000.4.29.1

glib2-tools-debuginfo: before 2.54.3-150000.4.29.1

libgio-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libglib-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-debugsource: before 2.54.3-150000.4.29.1

libgthread-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

libgobject-2_0-0: before 2.54.3-150000.4.29.1

libgmodule-2_0-0-debuginfo: before 2.54.3-150000.4.29.1

glib2-devel: before 2.54.3-150000.4.29.1

glib2-tools: before 2.54.3-150000.4.29.1

glib2-devel-debuginfo: before 2.54.3-150000.4.29.1

libgmodule-2_0-0: before 2.54.3-150000.4.29.1

libgio-2_0-0: before 2.54.3-150000.4.29.1

libglib-2_0-0: before 2.54.3-150000.4.29.1

libgthread-2_0-0: before 2.54.3-150000.4.29.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233535-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.