Descriptiongio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glib2.0 (PTS)buster2.58.3-2+deb10u3fixed
buster (security)2.58.3-2+deb10u4fixed
bookworm, sid2.74.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glib2.0source(unstable)(not affected)


- glib2.0 <not-affected> (Vulnerable code introduced in 2.59.1, cf #924344) (2.59.2)
Issue only in 2.59.1 and fixed in 2.59.2.

Search for package or bug name: Reporting problems