CVE-2019-9633

NameCVE-2019-9633
Descriptiongio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glib2.0 (PTS)bullseye2.66.8-1+deb11u4fixed
bullseye (security)2.66.8-1+deb11u5fixed
bookworm2.74.6-2+deb12u4fixed
bookworm (security)2.74.6-2+deb12u2fixed
sid, trixie2.82.2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glib2.0source(unstable)(not affected)

Notes

- glib2.0 <not-affected> (Vulnerable code introduced in 2.59.1, cf #924344)
https://gitlab.gnome.org/GNOME/glib/issues/1649
https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e (2.59.2)
Issue only in 2.59.1 and fixed in 2.59.2.

Search for package or bug name: Reporting problems