glib-networking OpenSSL Backend Out-of-Bounds Read Vulnerability

A memory safety vulnerability has been identified in glib-networking's OpenSSL backend, specifically in the certificate handling code. The issue arises from improper validation of the return value from BIO_write(), which can lead to out-of-bounds memory access and process crashes. This vulnerability occurs when the GTlsCertificate:certificate-pem property is accessed, as the faulty BIO_write() return value check allows unterminated string data to be processed, causing memory safety violations. The vulnerability is not present in most Linux distributions since the OpenSSL backend is not compiled by default.

Impact

Exploitation of this vulnerability causes a classic out-of-bounds read, where memory adjacent to the BIO buffer can be accessed, potentially exposing sensitive information. This read operation can lead to a segmentation fault, crashing the process, especially when the BIO buffer is allocated near the end of a mapped memory region. Additionally, the out-of-bounds read can be exploited to bypass memory protection mechanisms, such as Address Space Layout Randomization (ASLR), improving the reliability of executing a separate vulnerability that allows code execution.

Reproduction

The vulnerability can be reproduced by accessing the GTlsCertificate:certificate-pem property while the system is under memory pressure, which may cause BIO operations to encounter I/O errors. This can also occur if the process hits resource limits, such as file descriptor or memory constraints, or during race conditions in multi-threaded environments.

Remediation

The vulnerability has been fixed in glib-networking version 2.80.2. Users should upgrade to this version.