Your message dated Fri, 26 Dec 2025 14:47:43 +0000
with message-id <[email protected]>
and subject line Bug#1121488: fixed in glib2.0 2.74.6-2+deb12u8
has caused the Debian Bug report #1121488,
regarding glib#3827, CVE-2025-13601: integer overflow escaping large strings
for inclusion in URIs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121488
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib2.0
Version: 2.86.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/3827
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for glib2.0.
CVE-2025-13601[0]:
| A heap-based buffer overflow problem was found in glib through an
| incorrect calculation of buffer size in the g_escape_uri_string()
| function. If the string to escape contains a very large number of
| unacceptable characters (which would need escaping), the calculation
| of the length of the escaped string could overflow, leading to a
| potential write off the end of the newly allocated string.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13601
https://www.cve.org/CVERecord?id=CVE-2025-13601
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3827
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.74.6-2+deb12u8
Done: Emilio Pozuelo Monfort <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Dec 2025 15:29:38 +0100
Source: glib2.0
Architecture: source
Version: 2.74.6-2+deb12u8
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Closes: 1121488 1122346 1122347
Changes:
glib2.0 (2.74.6-2+deb12u8) bookworm; urgency=medium
.
* Team upload.
* CVE-2025-13601: integer overflow into heap buffer overflow escaping
very large strings in g_escape_uri_string (Closes: #1121488).
* CVE-2025-14087: buffer overwrite when processing large GVariant strings.
(Closes: #1122347).
* CVE-2025-14512: interger overflow into buffer overwrite when processing
file attributes in GIO's escape_byte_string (Closes: #1122346).
Checksums-Sha1:
aaff67896f599c5640d23177507aa5346f938c4d 3669 glib2.0_2.74.6-2+deb12u8.dsc
ed894bc4a82445f4f7b867a9da045f35d4b16b34 267596
glib2.0_2.74.6.orig-unicode-data.tar.xz
c924652ae8526754e765bbe9cc6ffe6885a7fedf 5217312 glib2.0_2.74.6.orig.tar.xz
d348e6231b48f2a7db82f09e1980e7322877ed22 151904
glib2.0_2.74.6-2+deb12u8.debian.tar.xz
a72472343de5f83f800dbd2838243fb538d9419e 6451
glib2.0_2.74.6-2+deb12u8_source.buildinfo
Checksums-Sha256:
335a778ee3ff24479f11041b1cbb4f23863f72f823d5d88da6ff5374b398890c 3669
glib2.0_2.74.6-2+deb12u8.dsc
dabcaff9298aa111a94e580561d2f29371f3e61b356c925ec5e0792df2b11ff2 267596
glib2.0_2.74.6.orig-unicode-data.tar.xz
069cf7e51cd261eb163aaf06c8d1754c6835f31252180aff5814e5afc7757fbc 5217312
glib2.0_2.74.6.orig.tar.xz
d1230f82328031e99769d8ec233872ba364cdeffa9ff6b2f83b86277f39c949f 151904
glib2.0_2.74.6-2+deb12u8.debian.tar.xz
e6de0e103e1a240f3ac179603b5902d75c54869a3f057eb48a09d01fe9034b4a 6451
glib2.0_2.74.6-2+deb12u8_source.buildinfo
Files:
3613477e26307a4b8a2a55ba1d07d611 3669 libs optional
glib2.0_2.74.6-2+deb12u8.dsc
b04bd93cfba7c4035f152578abe28c32 267596 libs optional
glib2.0_2.74.6.orig-unicode-data.tar.xz
38f81d4a06c03e667b1f4d73cb803da8 5217312 libs optional
glib2.0_2.74.6.orig.tar.xz
790d91ae669f9c0abfeb6ef1b0ee29f7 151904 libs optional
glib2.0_2.74.6-2+deb12u8.debian.tar.xz
8473e807383d79f13302170e6e2657b6 6451 libs optional
glib2.0_2.74.6-2+deb12u8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmlAISUACgkQnUbEiOQ2
gwJZ+BAApOyV1EQG6TfLGVvb9IV0ZwLQHaWOkRJfXdBsw0HquAj+0SQD1ZXYRO2n
xqevxLFvCNyd2XI/ZwK40qFquPz/AeFtuVEG5Zki/rIHIakzvvXJeod2PAeg0ZZI
PBvvcAIvzU6eTJ8wyVi/pLu2h2QI13CubF+KKf2UmJFXDvFFplHnMKw5bvzXsNDn
RM4BG+EJSBjxY+L2v/d6wUebXqhY+lAtJ4vaDVo5gvuoHneAD8EzoyNozeEB2rle
X9TKNrVLy7NFJg5bQ/KNDLG1i43C91MmUdaJ2J5xBoq5raTk615bzuzkNQBGMORT
mywunm42i7PhyiRLYfzjYKFtErrlm5wxROWjrdvXxfzCq+q+w3CqyndZpeiA4V/H
XjruaszzJYz7mUv4SDV75FZme+DhfAQIBC81KUuFWcxDN9m22Q7PBeQVDsmPWUIb
pDP3pq0Fe8bG+xGiiWBDipKVRANOzzEOd6IH5XLt+hGLV7Ank79paphYFHEjDpee
T1SCBvJCgnLg3o8HWR5I413IdgxPn+GFSqFE/hODgyCtOOtbrKRfM9h502FN/1Xz
UginUevRSFLhM6CDfflSLGzmT54P0axy+MHF30C6JooO7vrUhR/ZTio5oBtJLqXN
U9xkp0ZYGyQJKuak3rkYKJledp9J3VOZ3Gfmjq+0pXtshjGH+ls=
=G02v
-----END PGP SIGNATURE-----
pgpWNVmpA0AVZ.pgp
Description: PGP signature
--- End Message ---
