#VU51455 Incorrect Conversion between Numeric Types in Gnome GLib


Published: 2021-03-15

Vulnerability identifier: #VU51455

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-27218

CWE-ID: CWE-681

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Gnome GLib
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to incorrect conversion between numeric types in Gnome Glib. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gnome GLib: 2.66.0 - 2.67.3

CPE

External links
http://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
http://gitlab.gnome.org/GNOME/glib/-/merge_requests/1944
http://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Storage Monitoring and Reporting (SMR)
Multiple vulnerabilities in IBM Cloud Pak for Security
Multiple vulnerabilities in Red Hat Service Telemetry Framework
Multiple vulnerabilities in IBM Security Verify Access
Multiple vulnerabilities in Dell EMC Unity
Red Hat Enterprise Linux 8 update for mingw-glib2
Multiple vulnerabilities in OpenShift Virtualization
Multiple vulnerabilities in Dell EMC VxRail Appliance
Multiple vulnerabilities in OpenShift Container Platform 4.7
Multiple vulnerabilities in Red Hat Migration Toolkit for Containers