Your message dated Tue, 09 Dec 2025 16:19:47 +0000
with message-id <[email protected]>
and subject line Bug#1121488: fixed in glib2.0 2.86.3-1
has caused the Debian Bug report #1121488,
regarding glib2.0: CVE-2025-13601
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121488
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib2.0
Version: 2.86.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/3827
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for glib2.0.
CVE-2025-13601[0]:
| A heap-based buffer overflow problem was found in glib through an
| incorrect calculation of buffer size in the g_escape_uri_string()
| function. If the string to escape contains a very large number of
| unacceptable characters (which would need escaping), the calculation
| of the length of the escaped string could overflow, leading to a
| potential write off the end of the newly allocated string.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13601
https://www.cve.org/CVERecord?id=CVE-2025-13601
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3827
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.86.3-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Dec 2025 13:31:14 +0000
Source: glib2.0
Architecture: source
Version: 2.86.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1121488
Changes:
glib2.0 (2.86.3-1) unstable; urgency=medium
.
* New upstream security-fix release
- Fix calculation of buffer sizes when escaping URI strings
(CVE-2025-13601, glib#3827 upstream, Closes: #1121488)
- Fix possible buffer underflow parsing GVariant strings/bytestrings
(CVE-2025-14087, glib#3834 upstream)
- Fix integer overflow in file attribute escaping
(glib#3845 upstream)
- Windows-specific changes not described in detail here
Checksums-Sha1:
6c5f1de1cb4322de5a956c35d09595ce27343a97 4911 glib2.0_2.86.3-1.dsc
ade0b6ba8926c1cc81e28c86ae2652f47ceff885 660708
glib2.0_2.86.3.orig-unicode-data.tar.xz
123b02f7710316e8e2736b9842b5aab126155e59 5674820 glib2.0_2.86.3.orig.tar.xz
dd39385b23fe0f208c6986f7c6958ce11056cbcb 141336 glib2.0_2.86.3-1.debian.tar.xz
cd24e7eef10b8e068b11e0b9933d5d544af2dd8a 7389 glib2.0_2.86.3-1_source.buildinfo
Checksums-Sha256:
220faab419941c9857badfc1b3507eb6b9620cdd9db50b0f33cd7b73650be2ac 4911
glib2.0_2.86.3-1.dsc
c1742461e8c0e9673a3453a3127671169de9cb0138493e5c916f1b989530efcd 660708
glib2.0_2.86.3.orig-unicode-data.tar.xz
b3211d8d34b9df5dca05787ef0ad5d7ca75dec998b970e1aab0001d229977c65 5674820
glib2.0_2.86.3.orig.tar.xz
e40aa5391a2618996e4451e7091a2402fb06241959ee8cf00b6e63eba6a15cd2 141336
glib2.0_2.86.3-1.debian.tar.xz
7ab905ec3a999d2124eccd70056799337ced4670d5f418ad1bb5d0baf0918424 7389
glib2.0_2.86.3-1_source.buildinfo
Files:
a3508db218fa419d6483383943f5273f 4911 libs optional glib2.0_2.86.3-1.dsc
2b38b2623d9b97ba703de7c94fd25ba2 660708 libs optional
glib2.0_2.86.3.orig-unicode-data.tar.xz
2383dcdbf3eeb35d9ab005532fb256ba 5674820 libs optional
glib2.0_2.86.3.orig.tar.xz
0095fd3043bf2f38a2f0d29a799bf348 141336 libs optional
glib2.0_2.86.3-1.debian.tar.xz
d03c281811ab2c4816911ae59337d58d 7389 libs optional
glib2.0_2.86.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmk4SjcACgkQI1wJnT6z
MHbDShAAy+tbRiUcrzMR1DsML7PK69o7Ux5uH7ei8F0M7Q62XgxbNjYzQxGXtump
RldIGrhD6hvqZmjgOhIG2Dh5hJQLO30EngRRFjWbf0IhzUt0GKqJphszhxp/lqFb
rpS65d2UlrkktBrmnZSTzKf8JkWiEmw6jIIfmB5rWojkBc3x/ICtADqnJSFJKJq3
m1ZS38NRa9/qeF2HTGb+2Thn51U3jzaJ5jEaLixIa4Bm0g4Tgk2+2/MqbUub5jsa
ZklKSVX+TbnCsITxQPjxyrueskUOteslzV+ThanJ0ci7cx9ZDeSC0pzckGZG6npu
MoKLPte4bk6nFF0adlzqWhPiZ/dNQ2l0mJwDagXKq2QhNG/kecmMruZ3IqfeH816
n4AnCaQyTq5FPuxgldNm2N+by/KjMNQdAcCdeDKQINWxE1cdSwr2jDItv0TV8ap+
xc1rxyt9BGwzxkjc9xVSjoDznQI7bd739mUfo8hyXphlb4I/LPqiLa2V4ec89y5c
6E/n2fP6MEYmpJi7TTd1Qn8T+udi+JErY8lCEGva3ZQp4GVsctbcS0i8NPurRjB+
ECOMh1uZ+jjRiFrdqKvciDbt29MmH3nsR1CMl1ck4a9TAVf1+DY3RSXSlG5tVwTs
BC6gBW4vaYkecOTC6aEljyoOjPj7dHd4yABqbrfjXqqnHROw8Zo=
=0PpL
-----END PGP SIGNATURE-----
pgpxiZlQch0UD.pgp
Description: PGP signature
--- End Message ---
