Hi,
On 10/12/2025 15:13, Simon McVittie wrote:
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:glib2.0
User: [email protected]
Usertags: pu
[ Reason ]
Fix low-severity CVEs
[ Impact ]
If software parses inadvisably large amounts of attacker-controlled
GVariant text format (≥ 1 GiB), or escapes inadvisably large
attacker-controlled strings for inclusion in URIs (≥ 0.5 GiB), or loads
inadvisably large attacker-controlled GIO file attributes (≥ 1 GiB),
then an attacker could cause denial of service or possibly arbitrary
code execution.
The security team agrees that these are "no-DSA" issues.
[ Tests ]
The test suite still passes. The fixes are not really feasible to
unit-test since they require allocating (at least) hundreds of MiB of
junk.
A GNOME desktop boots successfully in a virtual machine with the
proposed GLib. I'll test on real hardware before uploading.
[ Risks ]
The patches were reviewed by upstream and are narrowly targeted, so I
think this is fine.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes fix potential integer overflows by making sure to do
address calculations in unsigned size_t space, except for one patch that
adds a fuzzing driver for one of the affected areas.
The attached diff is not finalized and will need a `dch -r`.
From a somewhat quick glance it looks reasonable. I also tested this on a
trixie GNOME laptop (together with the gnome-shell/mutter proposed updates) and
works well.
Cheers,
Emilio
