CVE-2023-32636: glib GVariant Deserialization Code Vulnerability Causes Denial of Service Through Offset Table Validation

A security flaw has been identified in the glib library, specifically in the GVariant deserialization code. This vulnerability (CVE-2023-32636) allows an attacker to execute a Denial of Service (DoS) attack through a crafted GVariant which triggers a slow offset table validation. This flaw does not affect any officially released version of glib, but it does impact distributors who backported the initial fix for CVE-2023-29499 based on guidance provided by glib developers.

What is glib?

glib is a widely-used general-purpose utility library for the C programming language, providing data structures and functions for handling strings, files, command line options, and more. glib's GVariant API is used for serializing complex data types into a compact binary format.

The following code snippet demonstrates the issue in the GVariant deserialization code

static inline gboolean
table_1_validate (Table1 *table, gsize size)
{
  gsize limit;
  /* ... */
  while (offset < limit)
    {
      if (!offset_valid_internal (table, offset, 1))
        return FALSE;

      offset = element_next_internal (table, offset, 1);
    }
  /* ... */
}

This code is responsible for checking the validity of the offset table, and an attacker can craft a specially malformed GVariant to exploit the issue, leading to slow offset table validation and consequently, a DoS attack.

Original References

- _CVE-2023-32636_: National Vulnerability Database (NVD)
- _glib source code_: GitLab GNOME Repository

Exploit details

To exploit this vulnerability, an attacker can create a GVariant instance that triggers the slow offset table validation. For example, by having a long continuous loop due to incorrect offsets and pointers. As a result, the validation process takes a long time to complete. Attackers can manipulate these inputs to cause slow responsiveness in applications that use the glib library, eventually leading to a Denial of Service attack.

Mitigation

To address this issue, glib developers are advised to apply the latest patch available, which adds further input validation and improves the performance of the offset table validation process. Distributors who have backported the initial fix for CVE-2023-29499 should update their glib package with the latest patch to protect against this vulnerability. Users are encouraged to update to a version of the glib library that includes the patch for CVE-2023-32636.

Conclusion

CVE-2023-32636 is a critical security flaw in the glib library's GVariant deserialization code that allows an attacker to execute a Denial of Service attack. This vulnerability does not affect any officially released versions of glib, but it does impact distributors who backported the initial fix for CVE-2023-29499. To mitigate the risks, developers and distributors should apply the latest patch, and users should update their glib library to a safe version.

Timeline

Published on: 09/14/2023 20:15:09 UTC
Last modified on: 11/10/2023 18:15:07 UTC