Bug#924344: glib2.0: CVE-2019-9633
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 3 13:34:52 BST 2019
Control: notfound -1 2.58.3-1
Hi Philip, hi Simon,
On Wed, Apr 03, 2019 at 01:18:36PM +0100, Philip Withnall wrote:
> On Wed, 2019-04-03 at 13:00 +0100, Simon McVittie wrote:
> > On Fri, 29 Mar 2019 at 20:13:17 +0100, Moritz Mühlenhoff wrote:
> > > On Mon, Mar 11, 2019 at 09:32:02PM +0100, Salvatore Bonaccorso
> > > wrote:
> > > > Version: 2.58.3-1
> >
> > Do we know for sure that 2.58.x is vulnerable? I've tried the
> > reproducer
> > from the upstream bug and didn't see criticals or a crash.
> >
> > > > Forwarded: https://gitlab.gnome.org/GNOME/glib/issues/1649
> >
> > This bug says "Another likely regression from Happy Eyeballs". GLib's
> > implementation of RFC 8305 "Happy Eyeballs" is a new feature (or new
> > optimization, depending how you look at it) in 2.59.x/2.60.x.
>
> Yeah, this bug should be present in 2.59.x where (x < 2). It was fixed
> by commit d553d92d6e9f53cbe5a34166fcb919ba652c6a8e, which is present in
> 2.59.2 onwards. The bug was not present in 2.58.x.
>
> I’ve left a comment about it here:
> https://gitlab.gnome.org/GNOME/glib/issues/1649#note_481826
Thanks for the update. Then this means that the initial triage
information from myself was just wrong. I have updated the tracker
according to your update now.
Thanks for your both work,
Salvatore
More information about the pkg-gnome-maintainers
mailing list