Your message dated Sun, 15 Jun 2025 14:49:34 +0000
with message-id <[email protected]>
and subject line Bug#1107797: fixed in glib2.0 2.84.3-1
has caused the Debian Bug report #1107797,
regarding glib2.0: CVE-2025-6052
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107797
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib2.0
Version: 2.75.3-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for glib2.0.
CVE-2025-6052[0]:
| A flaw was found in how GLib’s GString manages memory when adding
| data to strings. If a string is already very large, combining it
| with more input can cause a hidden overflow in the size calculation.
| This makes the system think it has enough memory when it doesn’t. As
| a result, data may be written past the end of the allocated memory,
| leading to crashes or memory corruption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-6052
https://www.cve.org/CVERecord?id=CVE-2025-6052
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4656
[3]
https://gitlab.gnome.org/GNOME/glib/-/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.84.3-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Jun 2025 12:12:51 +0100
Source: glib2.0
Architecture: source
Version: 2.84.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1087982 1107797
Changes:
glib2.0 (2.84.3-1) unstable; urgency=medium
.
* New upstream stable release
- Move an ineffective string length overflow check to a location where it
will be effective, fixing a possible buffer overflow when working with
multi-gigabyte strings (CVE-2025-6052, Closes: #1107797; unlikely to be
exploitable in practice)
* d/control: Update Homepage (Closes: #1087982)
Checksums-Sha1:
57c2c0d15696d18ff2c6fa9d2d148a60ba37d99d 4924 glib2.0_2.84.3-1.dsc
ade0b6ba8926c1cc81e28c86ae2652f47ceff885 660708
glib2.0_2.84.3.orig-unicode-data.tar.xz
1dd93eda8bbb0c5660b248fe30be361b0f43c4b4 5615704 glib2.0_2.84.3.orig.tar.xz
7bd53e427ca4b6716f1e52edd49a1c5212e2acac 138248 glib2.0_2.84.3-1.debian.tar.xz
d04b1bd08fe5d5a10c8a165e115902ab95e7666d 7404 glib2.0_2.84.3-1_source.buildinfo
Checksums-Sha256:
9114a7819e4009f4b23c05918ce62cedb305b08942dffbec1e08ff5c01ca21ce 4924
glib2.0_2.84.3-1.dsc
c1742461e8c0e9673a3453a3127671169de9cb0138493e5c916f1b989530efcd 660708
glib2.0_2.84.3.orig-unicode-data.tar.xz
aa4f87c3225bf57ca85f320888f7484901a17934ca37023c3bd8435a72db863e 5615704
glib2.0_2.84.3.orig.tar.xz
b56895045df075b7fc358f412ef9fe3eeda3f80231b9cbb30b220fec1539f4bf 138248
glib2.0_2.84.3-1.debian.tar.xz
e1f00aba9d828ae37902e99efc40648bb9e9350fa5ca080fb8fd47adfe24ba26 7404
glib2.0_2.84.3-1_source.buildinfo
Files:
32011eeb8d78893952effa0b3b715eed 4924 libs optional glib2.0_2.84.3-1.dsc
2b38b2623d9b97ba703de7c94fd25ba2 660708 libs optional
glib2.0_2.84.3.orig-unicode-data.tar.xz
8f61227d9a981f435841dca7666715fe 5615704 libs optional
glib2.0_2.84.3.orig.tar.xz
7788ff24aa36e8eb001420a2e7bdc4f7 138248 libs optional
glib2.0_2.84.3-1.debian.tar.xz
eca660d0cd3c3ea6f3ea6712074fb13b 7404 libs optional
glib2.0_2.84.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmhO3BkACgkQI1wJnT6z
MHYqQw/+KkVa/dbXZAZdaZcH8HnI2etnWMF+xFLf+nM1rJZYi508gmLTnBlfGYM7
fYXBngQ9P/FHJulCJiwukCPP1NX+qzz0yfhO9ZkmYuet7QTJ4FZvPAS+YSPsuwSX
oIBPm6UGdobHlijexQvb2LTykl8Z6f8Xeb1qD5bBGOoBr4dJ2j26XkYcet1wfq4I
zQ96Yu4YYGcBZYPyESDegvmk64nny5oVKVhGObP77/z/Q1lDcs6KRRm2SPtDcE6M
VFh4498z9rl7WABSLTlMBJQd8OQdB3Zk3iioe/la30VNXrP8BNytdxTgysYP7g8z
32fTI4+3m9oxgcTJmK7Ld/+2Rhi1Q1k7s8eHl+5zVOF3uqbgQHb2jsvNHYyqtNfG
QW5rkIyOaXgWnwc+WYi8vzMKa9q8BDDTGxYaA7Gt538Sxu0npOU80c08aI+0faWv
KJcXGjztC0i4wjLXN0TE3EWJGKW6Vi4CNOVWPkhzgR6+Zy1pxs+mB5y2wFyaQNch
jsOGUgsGdWUEEq9CD9Pz/NIb+/s7wfQSnunzPH7ZqtUMwFqvVOT55OHWpBfuDgeT
w0tUSqpREWOTM3TX3q2WwMQKJAo9umtb2G1tf0CtBtd6HXCguoLN5K28TWCw/vdO
Xke7bqDyr+DWXntMLFl3WlqZ9gts6MLlwx+uKxdxU/jLYc4G88k=
=6QUj
-----END PGP SIGNATURE-----
pgp8aNkqFD1Tl.pgp
Description: PGP signature
--- End Message ---
