Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:glib2.0 User: [email protected] Usertags: pu
[ Reason ] Following #1122373, this addresses a few no-dsa CVEs for glib/bookworm. [ Impact ] There's potential for code execution with maliciously crafted data, although the integer overflows require very large input data to be triggered, making the exploitation harder. [ Tests ] Ran the test suite, autopkgtests for all rdeps (thanks debusine), and manual tests on a full VM. [ Risks ] The patches are small and the code base is similar enough, so the risk should be low. There are no unit tests though due to the data size requirements. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * CVE-2025-13601: integer overflow into heap buffer overflow escaping very large strings in g_escape_uri_string (Closes: #1121488). * CVE-2025-14087: buffer overwrite when processing large GVariant strings. (Closes: #1122347). * CVE-2025-14512: interger overflow into buffer overwrite when processing file attributes in GIO's escape_byte_string (Closes: #1122346). I have already uploaded the package to oldstable-new. Cheers, Emilio
