GLib Heap Corruption Vulnerability in GVariant Parser Allowing Denial-of-Service and Potential Code Execution

A buffer-underflow vulnerability has been identified in GLib's GVariant parser, specifically in the bytestring_parse() and string_parse() functions. This vulnerability allows remote attackers to cause heap corruption, leading to application crashes or potentially executing arbitrary code. The issue arises when the parser processes maliciously crafted input strings, causing signed 32-bit integer loop indices to overflow into negative values. This overflow allows the parser to write to memory before the allocated buffer, creating an out-of-bounds write condition. The vulnerability is particularly concerning because GVariant parsing is often performed on data influenced by attackers, making it exploitable in real-world scenarios.

Impact

Exploitation of this vulnerability leads to heap corruption, causing application crashes and instability. However, it also creates a classic buffer overflow condition, where an attacker could potentially overwrite memory in a way that allows for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by parsing a carefully crafted bytestring or string with the GVariant parser. The input must be designed to cause the loop indices in the parsing functions to overflow, creating a buffer-underflow condition that the parser can exploit. This can be done by using extremely large strings that manipulate the signed integer counters, causing them to wrap around into negative values.

Remediation

The vulnerability has been patched upstream, but users should check with their specific distribution for the availability of the fix.