ID

VAR-202102-1093

CVE

CVE-2021-27219

TITLE

GNOME GLib  Vulnerability in conversion between numeric types in

DESCRIPTION

An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. GNOME GLib Is vulnerable to a conversion error between numeric types.Denial of service (DoS) It may be put into a state. Currently there is no information about this vulnerability. Please keep an eye on CNNVD or manufacturer announcements. Bugs fixed (https://bugzilla.redhat.com/): 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1945703 - "Guest OS Info" availability in VMI describe is flaky 1958816 - [2.6.z] KubeMacPool fails to start due to OOM likely caused by a high number of Pods running in the cluster 1963275 - migration controller null pointer dereference 1965099 - Live Migration double handoff to virt-handler causes connection failures 1965181 - CDI importer doesn't report AwaitingVDDK like it used to 1967086 - Cloning DataVolumes between namespaces fails while creating cdi-upload pod 1967887 - [2.6.6] nmstate is not progressing on a node and not configuring vlan filtering that causes an outage for VMs 1969756 - Windows VMs fail to start on air-gapped environments 1970372 - Virt-handler fails to verify container-disk 1973227 - segfault in virt-controller during pdb deletion 1974084 - 2.6.6 containers 1975212 - No Virtual Machine Templates Found [EDIT - all templates are marked as depracted] 1975727 - [Regression][VMIO][Warm] The third precopy does not end in warm migration 1977756 - [2.6.z] PVC keeps in pending when using hostpath-provisioner 1982760 - [v2v] no kind VirtualMachine is registered for version \"kubevirt.io/v1\" i... 1986989 - OpenShift Virtualization 2.6.z cannot be upgraded to 4.8.0 initially deployed starting with <= 4.8 5. Description: Windows Container Support for Red Hat OpenShift allows you to deploy Windows container workloads running on Windows Server containers. Bug Fix(es): * WMCO patch pub-key-hash annotation to Linux node (BZ#1945248) * LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath (BZ#1952917) * Telemetry info not completely available to identify windows nodes (BZ#1955319) * WMCO incorrectly shows node as ready after a failed configuration (BZ#1956412) * kube-proxy service terminated unexpectedly after recreated LB service (BZ#1963263) 3. Solution: For Windows Machine Config Operator upgrades, see the following documentation: https://docs.openshift.com/container-platform/4.7/windows_containers/window s-node-upgrades.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1945248 - WMCO patch pub-key-hash annotation to Linux node 1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM 1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath 1955319 - Telemetry info not completely available to identify windows nodes 1956412 - WMCO incorrectly shows node as ready after a failed configuration 1963263 - kube-proxy service terminated unexpectedly after recreated LB service 5. Bugs fixed (https://bugzilla.redhat.com/): 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 5. These packages include redhat-release-virtualization-host. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6 and 4.7, and includes security and bug fixes and enhancements. Bugs fixed (https://bugzilla.redhat.com/): 1937901 - CVE-2021-27918 golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1965503 - CVE-2021-33196 golang: archive/zip: Malformed archive may cause panic or memory exhaustion 1971445 - Release of OpenShift Serverless Serving 1.16.0 1971448 - Release of OpenShift Serverless Eventing 1.16.0 5. 7.3) - noarch, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: glib2 security update Advisory ID: RHSA-2021:2174-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2174 Issue date: 2021-06-01 CVE Names: CVE-2021-27219 ==================================================================== 1. Summary: An update for glib2 is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.4) - noarch, x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.4) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.4) - noarch, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: glib2-2.50.3-4.el7_4.src.rpm x86_64: glib2-2.50.3-4.el7_4.i686.rpm glib2-2.50.3-4.el7_4.x86_64.rpm glib2-debuginfo-2.50.3-4.el7_4.i686.rpm glib2-debuginfo-2.50.3-4.el7_4.x86_64.rpm glib2-devel-2.50.3-4.el7_4.i686.rpm glib2-devel-2.50.3-4.el7_4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: glib2-2.50.3-4.el7_4.src.rpm ppc64le: glib2-2.50.3-4.el7_4.ppc64le.rpm glib2-debuginfo-2.50.3-4.el7_4.ppc64le.rpm glib2-devel-2.50.3-4.el7_4.ppc64le.rpm x86_64: glib2-2.50.3-4.el7_4.i686.rpm glib2-2.50.3-4.el7_4.x86_64.rpm glib2-debuginfo-2.50.3-4.el7_4.i686.rpm glib2-debuginfo-2.50.3-4.el7_4.x86_64.rpm glib2-devel-2.50.3-4.el7_4.i686.rpm glib2-devel-2.50.3-4.el7_4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: glib2-2.50.3-4.el7_4.src.rpm x86_64: glib2-2.50.3-4.el7_4.i686.rpm glib2-2.50.3-4.el7_4.x86_64.rpm glib2-debuginfo-2.50.3-4.el7_4.i686.rpm glib2-debuginfo-2.50.3-4.el7_4.x86_64.rpm glib2-devel-2.50.3-4.el7_4.i686.rpm glib2-devel-2.50.3-4.el7_4.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.4): noarch: glib2-doc-2.50.3-4.el7_4.noarch.rpm x86_64: glib2-debuginfo-2.50.3-4.el7_4.i686.rpm glib2-debuginfo-2.50.3-4.el7_4.x86_64.rpm glib2-fam-2.50.3-4.el7_4.x86_64.rpm glib2-static-2.50.3-4.el7_4.i686.rpm glib2-static-2.50.3-4.el7_4.x86_64.rpm glib2-tests-2.50.3-4.el7_4.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.4): noarch: glib2-doc-2.50.3-4.el7_4.noarch.rpm ppc64le: glib2-debuginfo-2.50.3-4.el7_4.ppc64le.rpm glib2-fam-2.50.3-4.el7_4.ppc64le.rpm glib2-static-2.50.3-4.el7_4.ppc64le.rpm glib2-tests-2.50.3-4.el7_4.ppc64le.rpm x86_64: glib2-debuginfo-2.50.3-4.el7_4.i686.rpm glib2-debuginfo-2.50.3-4.el7_4.x86_64.rpm glib2-fam-2.50.3-4.el7_4.x86_64.rpm glib2-static-2.50.3-4.el7_4.i686.rpm glib2-static-2.50.3-4.el7_4.x86_64.rpm glib2-tests-2.50.3-4.el7_4.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.4): noarch: glib2-doc-2.50.3-4.el7_4.noarch.rpm x86_64: glib2-debuginfo-2.50.3-4.el7_4.i686.rpm glib2-debuginfo-2.50.3-4.el7_4.x86_64.rpm glib2-fam-2.50.3-4.el7_4.x86_64.rpm glib2-static-2.50.3-4.el7_4.i686.rpm glib2-static-2.50.3-4.el7_4.x86_64.rpm glib2-tests-2.50.3-4.el7_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-27219 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYLYYptzjgjWX9erEAQhH2w/7BmVMxX9Bxpe0XfXUK/utQK42LFQmy8fV B/7MC9Mvi+kF2kKStjPo+YSJR4O1Om7kuK/sv6UJPtc+bjgw5aLqFcxqapGylAU9 /xTO5RkiR14TxXIQMFXcKkISsesCwRCuDL0Vyr9KXxdiv1IghfjkWWLv3qqPIbL/ jm1IBbcIDvRiABzASCbhuntgeF1nUFZ7Fn4IkzNUVKSqWX5SsQcDrLVHdVQDbpe4 bK714tbGkQ5sMR9M/YUcNitovaRLBlhNtT3dtY6QoNLxwXPc+b9fhKyVSI4CJT7k wdXOPc0brSg7K+et6aDNU6l8oUfSvJpb8489shxQfEsK+oDZXUDMiJPLfi5HNEhE I+/1E3blaDNaAlsybf/R/db2LxGON8W6rzHBcbCMIPqg6e2ZtTBATJjYgw6liykr jZuxPtmiMc662TCBtStxqKdBKpFNgKKQh1fmhO6vfj0G9ro4Col19DYcWmqFH8np 0H4igXwJvNXg5rP6V6FCP/JVVi2oAzIiSARXBVbMGcPhAtvt6FN0+L247s7BGuQP O//llRcUr6ifUDtgJdcpN5jyonjnj8sVnAmPPeGECy1TGMArDybp5P7qEQwubrC0 eN5M6RaBAk9XVhMLxyRPCsnY/+uoIISaRK5Qjtvc0r3gOWhf2OlMO2BLcLkEvlsH FH8Eepv6YZo=9n3l -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 7.7) - noarch, ppc64, ppc64le, s390x, x86_64 3. ========================================================================== Ubuntu Security Notice USN-4759-1 March 08, 2021 glib2.0 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in GLib. Software Description: - glib2.0: GLib library of C routines Details: Krzesimir Nowak discovered that GLib incorrectly handled certain large buffers. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-27218) Kevin Backhouse discovered that GLib incorrectly handled certain memory allocations. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-27219) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: libglib2.0-0 2.66.1-2ubuntu0.1 Ubuntu 20.04 LTS: libglib2.0-0 2.64.6-1~ubuntu20.04.2 Ubuntu 18.04 LTS: libglib2.0-0 2.56.4-0ubuntu0.18.04.7 Ubuntu 16.04 LTS: libglib2.0-0 2.48.2-0ubuntu4.7 After a standard system update you need to restart your session to make all the necessary changes

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-09-30T22:55:09.413000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE