Your message dated Tue, 20 May 2025 10:06:39 +0000
with message-id <[email protected]>
and subject line Bug#1104930: fixed in glib2.0 2.84.1-3
has caused the Debian Bug report #1104930,
regarding glib2.0: CVE-2025-4373
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1104930: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104930
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib2.0
Version: 2.84.1-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/3677
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for glib2.0.

CVE-2025-4373[0]:
| A flaw was found in GLib, which is vulnerable to an integer overflow
| in the g_string_insert_unichar() function. When the position at
| which to insert the character is large, the position will overflow,
| leading to a buffer underwrite.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-4373
    https://www.cve.org/CVERecord?id=CVE-2025-4373
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3677
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588
[3] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4592

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.84.1-3
Done: Simon McVittie <[email protected]>

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 May 2025 15:01:35 +0100
Source: glib2.0
Architecture: source
Version: 2.84.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers 
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1104930
Changes:
 glib2.0 (2.84.1-3) unstable; urgency=medium
 .
   [ Jeremy BĂ­cha ]
   * d/p/gfileutils-Preserve-mode-during-atomic-updates.patch:
     Add a note that this fix for LP#2072586 was reverted in the upstream
     2.84.x branch as a behaviour change. It was kept in 2.85.x,
     and seems reasonable to keep for trixie.
 .
   [ Simon McVittie ]
   * d/p/gfileutils-Preserve-mode-during-atomic-updates.patch:
     Add a cross-reference to LP#2072586
   * d/p/gstring-carefully-handle-gssize-parameters.patch,
     d/p/gstring-Make-len_unsigned-unsigned.patch:
     Add patches from upstream to fix a buffer underflow with very large
     GString instances (Closes: #1104930, CVE-2025-4373)
   * d/p/gdate-Call-tzset-before-localtime_r.patch:
     Add patch from upstream to ensure that tzset() is called before
     localtime_r(); otherwise the behaviour of localtime_r() is unspecified.
   * These patches bring us up to date with upstream glib-2-84 branch commit
     2.84.1-15-gb3de15acf9, excluding changes that are not relevant to
     Debian architectures (macOS CI and Windows) and the revert of the fix
     for LP#2072586 (discussed above).
Checksums-Sha1:
 8a433f81ac0774934304c91ee54b60be5a1866fa 4925 glib2.0_2.84.1-3.dsc
 5f1d8d533a3c3f0eb20849b964aaadfd137efb8f 140100 glib2.0_2.84.1-3.debian.tar.xz
 30647ad6f221bf940638573a36b98bd2b1bdceb2 7406 glib2.0_2.84.1-3_source.buildinfo
Checksums-Sha256:
 8fbbbddd9ec3d309997fe4d792b78a39a2ac62b565a03a3706c49e5d02d9e6cd 4925 
glib2.0_2.84.1-3.dsc
 832a246906ed73bd2a8e92b5b9a8625bf1a435062cc327d336fcf1ccce27603c 140100 
glib2.0_2.84.1-3.debian.tar.xz
 ae65d9a8951b1dc36e04e23aa17ce862965f0e2cd1bddecf3f849c94733c18c1 7406 
glib2.0_2.84.1-3_source.buildinfo
Files:
 564133e0c881d8d0ba35bd76b790b71f 4925 libs optional glib2.0_2.84.1-3.dsc
 0f56e195be84982c6af1efc27b2aa599 140100 libs optional 
glib2.0_2.84.1-3.debian.tar.xz
 ef419c007764e03c54e17ead4300dc80 7406 libs optional 
glib2.0_2.84.1-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmgsUdAACgkQI1wJnT6z
MHanHhAAgFrgZ8RYomw4ibfOe0tuuP1VT8YnG9DiZ4Z2mCeYekiDhb8Z/xnnvXmO
h7ejIINcboNQsySgBY9dbcIB+XnqgFtXc6swRonOB4FQlXHjE0TF7kGmqadAOmQq
YukC9qFcXRVN2AtgiX5DYxgcoj+yE/Gyk2qFfNiJa7O9/+jx1Z3TAzm8sip2Q6Jc
zjcj3MW/u4bjvdB4p/JEKzU5zmaNeBe0rtG6Gv22pZgr/8rW3TG8glnAdT4gVNVY
j0exWPM31iBVnTIscCKJkhMk4ddZ1+BxDecCMtco3ENpFdu64/Mytzq4Z0vm2Gk0
/fMgHx8QFJNdSzDhE4m+6vBOgTU8LvsfottzBm09OCWNjo9+CZ1qaxaThEsYldCJ
xJbosIUziu9Xx6xupSj/JzhAbUUwzWLbb2n0myUaUXy83Gun98XEsXAV2qgHeLfE
ElqM/aon/85699qe6MMSz1fs3TQkS12jPoJHkehRpE2+0TbAL5AV4nD3YSAhLa7i
IihECF3BkS7MnLBhw5VgXm6EJRvoCvBVi0ShU+C+FqAO6B7+uSSkQrznlRerK/yw
rZfU8z0XemoUX2jcNzYeVpM/DJNMAlsBeaTL3duCQlbhNaqU8aO0KYuPlVRyI46R
8L7h5dolcsHaV9CYUj9xzMuilzckKiL0y/R9FXMs0KekPtyZ7Rg=
=MSUy
-----END PGP SIGNATURE-----

Attachment: pgphRqvrcXBLA.pgp
Description: PGP signature


--- End Message ---

Reply via email to