Fixing glib2.0 CVE-2024-34397 in buster

Sat May 11 17:34:55 BST 2024

Hello Simon,

Markus (apo) claimed the package yesterday after your message.

For clarity I'm CC:ing him here, and I added a note in data/dla-needed.txt.
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt

Also, thanks for the testing procedure :)

Cheers!
Sylvain Beucler
Debian LTS Team

On 10/05/2024 17:02, Simon McVittie wrote:
> Please cc either me or the glib2.0 package's address on any replies that
> are relevant outside the LTS team: I am not subscribed to -lts.
> 
> Normally I don't attempt to support any packages in the LTS distributions,
> but for glib2.0 I was the author of the original CVE fix and it turns
> out that I might need a buster-compatible version of it for my day job,
> so I've done a prototype backport to buster:
> https://salsa.debian.org/gnome-team/glib/-/merge_requests/39
> (git fetch https://salsa.debian.org/gnome-team/glib wip/cve-2024-34397/buster)
> 
> This incorporates:
> 
> * the original CVE fixes developed under embargo and released to bookworm
>    and bullseye as DSA 5682-1, to unstable as 2.80.0-10, and to Ubuntu
>    (the version used here is very similar to the one in bullseye, but with
>    even more conflict resolution)
> 
> * automated test coverage for the CVE fix, released in the same versions
>    as above (again the version used here is very similar to the one in
>    bullseye, with minor adjustments to avoid requiring newer APIs)
> 
> * a fix for a serious regression in ibus introduced by the CVE fixes,
>    released to bookworm and bullseye as DSA 5682-2, to unstable in 2.80.1-1,
>    and to Ubuntu
> 
> * a fix for a minor/rare memory leak introduced by a prerequisite patch
>    backported as part of the CVE fixes (see #1070851), released to unstable
>    in 2.80.2-1 but not yet fixed in bookworm/bullseye or Ubuntu; this seems
>    low-risk, but can be dropped/reverted if it makes the LTS team unhappy
> 
> Please could whoever handles this in the LTS team take over review/testing
> from this point, and let me know if there are any problems?
> 
> In the newer suites, this update was accompanied by a fix for gnome-shell,
> in which screencasting/screen-recording would have regressed after fixing
> the vulnerability. In buster, my understanding is that this will not be
> necessary, because GNOME Shell 3.30.x is too old to have had the relevant
> bug; but I have not tested a full buster system.
> 
> I would recommend testing:
> 
> * build-time tests
> 
> * autopkgtest
> 
> * general use of GNOME
> 
> * gnome-shell: whatever screen recording or screencasting functionality was
>    present in buster, if any (I don't remember what was offered in 3.30.x)
> 
> * ibus: Compose key, dead keys, and ideally non-Latin input
>    (e.g. Japanese with mozc)
> 
> Thanks,
>      smcv