XPost: linux.debian.maint.boot, linux.debian.devel.release
Control: retitle -1 unblock: glib2.0/2.84.2-1
Control: tags -1 - confirmed
On Fri, 09 May 2025 at 11:08:26 +0100, Simon McVittie wrote:
[ Reason ]
CVE-2025-4373 (#1104930).
I also took the opportunity to catch up with the upstream glib-2-84
branch by adding one unrelated bugfix commit (a 1-line change).
Since then we've had a new upstream release, which I uploaded, in the
interests of having a simpler diff and a simpler "what version is this?"
story.
[ Reason ]
CVE-2025-4373 (#1104930) and other upstream bug fixes.
[ Impact ]
Fixes an out-of-bounds write if an attacker can somehow arrange for GLib
to be acting on overwhelmingly large strings (half the address space in
a single GString object, so 2GB for 32-bit processes).
Avoids potential negative string offsets in g_get_locale_variants()
if the input is syntactically invalid (possibly found by fuzz-testing,
might be claimed to be a security vulnerability if someone is parsing
untrusted locale names for whatever reason).
Ensures that localtime_r() is not called without first calling tzset(),
which has unspecified behaviour.
Makes it easier to take subsequent upstream stable releases, which can
contain security fixes.
[ Tests ]
autopkgtests pass and my GNOME laptop continues to work well.
GLib has a quite thorough test suite in general, but CVE-2025-4373 is
not covered by it, because exploiting the bug requires a huge memory
allocation that will, in practice, usually fail.
[ Risks ]
Low-risk targeted changes.
The changes to glib/tests/utils.c are a bit noisy (changing some
assertions around) but are purely test code, no impact on normal users
(and the tests still pass). The additions in fuzzing/ are, again, a bit
noisy, but I don't think we even compile that part; it certainly doesn't
have any impact on end-user systems.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
(filtered to exclude CI noise and the contents of deleted patches)
[ Other info ]
Needs a d-i ack due to the GTK-based graphical installer.
debdiff glib2.0*.dsc | filterdiff -p1 -x.gitlab-ci.yml -x'debian/patches/*'
-----
diffstat for glib2.0-2.84.1 glib2.0-2.84.2
.gitlab-ci.yml | 30 -
NEWS | 16
debian/changelog | 45 ++
debian/patches/gclosure-fix-ATOMIC_CHANGE_FIELD-to-read-vint-atomically.patch | 55 ---
debian/patches/gfileutils-Preserve-mode-during-atomic-updates.patch | 4
debian/patches/series | 1
debian/tests/manual/.gitignore | 1
fuzzing/fuzz_get_locale_variants.c | 45 ++
fuzzing/meson.build | 1
gio/glocalfile.c | 11
girepository/girepository.c | 3
girepository/tests/repository-search-paths.c | 2
glib/gcharset.c | 6
glib/gdate.c | 1
glib/gstring.c | 36 +-
glib/tests/utils.c | 168 +++++-----
meson.build | 2
17 files changed, 249 insertions(+), 178 deletions(-)
diff -Nru glib2.0-2.84.1/debian/changelog glib2.0-2.84.2/debian/changelog
--- glib2.0-2.84.1/debian/changelog 2025-04-24 20:26:06.000000000 +0100
+++ glib2.0-2.84.2/debian/changelog 2025-05-22 17:25:42.000000000 +0100
@@ -1,3 +1,48 @@
+glib2.0 (2.84.2-1) unstable; urgency=medium
+
+ * New upstream stable release
+ - Avoid potential negative string offsets in g_get_locale_variants()
+ if the input is syntactically invalid; add test and fuzzing coverage
+ (glib#3405 upstream)
+ - Minor improvements in tests (no effect on library)
+ - Don't use faccess() with flags on Android (no effect on Debian)
+ - Windows adjustments in girepository (no effect on Debian packages)
+ - CI updates (no effect on Debian packages)
+ - Other changes were already included in 2.84.1-3
+ * d/p/gclosure-fix-ATOMIC_CHANGE_FIELD-to-read-vint-atomically.patch,
+ d/p/gstring-carefully-handle-gssize-parameters.patch,
+ d/p/gstring-Make-len_unsigned-unsigned.patch,
+ d/p/gdate-Call-tzset-before-localtime_r.patch:
+ Drop patches from 2.84.1-2 and 2.84.1-3