Bug#1110640: glib2.0: CVE-2025-7039: buffer underrun in get_tmp_file()

Salvatore Bonaccorso carnil at debian.org
Sat Aug 9 14:47:49 BST 2025 

Hi Simon,

On Sat, Aug 09, 2025 at 02:07:24PM +0100, Simon McVittie wrote:
> Source: glib2.0
> Severity: important
> Tags: security pending fixed-upstream
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/3716
> Control: fixed -1 2.84.4-1
> 
> glib2.0's implementation of tempnam()-like functionality, used in 
> g_mkstemp(), g_mkdtemp() and similar functions, has a buffer underrun 
> caused by a signed integer overflow if a program creates 2**31 or more 
> temporary files. If this happens, instead of the XXXXXX in the template 
> filename being replaced by alphanumeric characters from a read-only 
> array, they will be replaced by (some of) whatever 36 bytes happen to be 
> before that array in the library's .rodata segment.
> 
> The upstream bug reporter claims that this is a security vulnerability, 
> because the 36 bytes before the array could conceivably contain a slash, 
> and an attacker could make use of that to create a directory they 
> control and exploit from there. This seems like a tenuous claim to me, 
> and upstream is not treating this as particularly serious. I haven't 
> attempted to check whether any of our specific binary builds of GLib 
> happen to contain problematic data just before the alphabet.
> 
> A mitigation is that if a single run of a program creates fewer than 2 
> billion temporary files, the signed integer overflow won't occur, 
> resulting in the array underflow also not occurring.
> 
> Do I assume correctly that this is going to be no-dsa?

no-dsa sounds fine, thank you!

> I uploaded a fixed version to unstable, which I intend to rebuild as 
> 2.84.4-1~deb13u1 for 13.1. The version in experimental is unfixed, but 
> 2.85.3-1 will fix it.

I just added metadata for the security-tracker about this CVE (will
not appear immediately). But is it correc,t the fix is then
https://gitlab.gnome.org/GNOME/glib/-/commit/61e963284889ddb4544e6f1d5261c16120f6fcc3
which is already fixed in 2.85.2 according to the upstream tags, or do
I miss something? Right now I have added:

+CVE-2025-7039 [buffer underrun in get_tmp_file()]
+       - glib2.0 2.84.4-1 (bug #1110640)
+       [trixie] - glib2.0 <no-dsa> (Minor issue)
+       [bookworm] - glib2.0 <no-dsa> (Minor issue)
+       NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3716
+       NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4674
+       NOTE: Fixed by: https://gitlab.gnome.org/GNOME/glib/-/commit/61e963284889ddb4544e6f1d5261c16120f6fcc3 (2.85.2)

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list