Fixing glib2.0 CVE-2024-34397 in buster

[Simon McVittie]

On Mon, 13 May 2024 at 20:00:16 +0200, Markus Koschany wrote:
> Am Freitag, dem 10.05.2024 um 16:02 +0100 schrieb Simon McVittie:
> > [...]
> > 
> > I would recommend testing:
> > 
> > * build-time tests
> 
> All tests pass except of
> 
> 165/258 glib:gio / live-g-file                  FAIL     0.07 s (killed by
> signal 6 SIGABRT)
> 
> when I build the package with sbuild in a clean chroot on my laptop. This is
> reproducible on my system. However building glib2.0 inside a normal schroot
> environment works for me. Since it is unrelated to the fix I assume this is
> some sort of flaky test and it does not fail on the official buildd servers?

Honestly, buster was sufficiently long ago that I don't remember. You
are right to think this is not GDBus-adjacent code, so it's unlikely to
be a regression triggered by this update.

For what it's worth, it worked OK in my test-build (which was done in a
bookworm VM, with bookworm's kernel, sbuild and schroot, in a buster
chroot as produced by sbuild-createchroot on bookworm).

If you're running with CAP_DAC_OVERRIDE for whatever reason, then I
think the version of this particular test in buster is expected to fail
(I fixed that upstream in 2022).

Beyond that, I'd need to see the test's output to be able to know anything
about this failure. It probably isn't worth spending much (if any) time
investigating this unless it fails repeatably on the production buildds.

> I have tested the update on a real system with a German keyboard layout and
> screen recording, umlauts, dead keys work as expected.

Great, that sounds like all the known regressions have been avoided.

> Do you want to upload the security update to buster-security yourself or do you
> want me to take care of it?

Please upload when you are happy with it, and push the debian/buster branch
to https://salsa.debian.org/gnome-team/glib if you can (or if you can't,
I can fetch it from https://salsa.debian.org/lts-team/packages/glib).

    smcv