On Wed, 30 Oct 2019 at 15:45:19 +0100, Gunnar Hjalmarsson wrote: > Seeing that you included quite a few patches in this update, I have a > question as regards the stable releases. Are the commits included in > <https://gitlab.gnome.org/GNOME/glib/merge_requests/1176> a standalone set > of commits which would be sufficient for patching the stable releases in > order to fix the IBus/Qt issue? I'm asking with my Ubuntu glasses on at > first hand (in Ubuntu 16.04 we have glib2.0 2.48...), but the question does > reasonably apply to Debian too.
I was hoping to let glib2.0 get some testing in unstable before backporting anything. A build of GLib with amd64, i386, build-time tests, autopkgtest and piuparts takes about an hour, and I have to do my actual job as well, so I can't iterate on this particularly rapidly. How do the security team want to handle this - as a stable update, or as a DSA? It isn't a security fix in its own right, but it fixes what is effectively a regression triggered by fixing CVE-2019-14822 in ibus (#940267, DSA-4525-1). The functionally important patches for this particular bug are: * d/p/credentials-Invalid-Linux-struct-ucred-means-no-informati.patch * d/p/GDBus-prefer-getsockopt-style-credentials-passing-APIs.patch The first of those might need minor adjustment to apply in the absence of d/p/gcredentialsprivate-Document-the-various-private-macros.patch, or we could just apply that one too - it only adds documentation. The test in d/p/Add-a-test-for-GDBusServer-authentication.patch would be reassuring to have, but it is known to fail on non-Linux kernels (a fix is pending review upstream and included in the 2.62.2-2 Debian package), and might depend on other, less critical GDBus fixes. For what it's worth, upstream didn't include it in the initial backport of !1176 to the 2.62.x branch. smcv