Bug#1111600: bookworm-pu: package glib2.0/2.74.6-2+deb12u7

Simon McVittie smcv at debian.org
Tue Aug 19 23:14:35 BST 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm d-i
X-Debbugs-Cc: glib2.0 at packages.debian.org, debian-boot at lists.debian.org
Control: affects -1 + src:glib2.0
Control: block -1 by 1111470
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]

Avoid triggering #1065022, #1110696 in upgrades from bookworm to trixie.

Fix no-dsa CVEs #1104930, #1110640.

[ Impact ]

#1065022, #1110696 are upgrade issues: when bookworm's libglib2.0-0 is 
purged, its postrm deletes files that trixie's replacement 
libglib2.0-0t64 still needs. The impact is most GLib/GTK apps crashing 
out with a fatal error, until libglib2.0-0t64 is dpkg-reconfigure'd or 
reinstalled. We already work around #1065022 on the trixie side, and I'm 
proposing a similar workaround for #1110696 in trixie-pu bug #1111470, 
but it would be better if bookworm's libglib2.0-0.postrm was safer as 
well.

In particular, old versions of the postrm can hang around indefinitely 
due to the existence of the removed-but-not-purged state, so it would be 
good if we can make an attempt to fix this retroactively.

The two CVEs are unlikely to be exploitable in practice, but the 
worst-case-scenario impact if we turn out to be wrong about that is 
arbitrary code execution.

[ Tests ]

In general: autopkgtests are relatively extensive and all pass, except 
for memory-monitor-dbus which does not always pass but is already 
flagged as flaky (there are some known race conditions in that one, 
fixed upstream in a later version but not a high priority to backport). 
A GNOME laptop still works normally with the proposed version.

I tested #1065022, #1110696 with the manual test script 
debian/tests/manual/1065022.sh, as included in the trixie package 
proposed in #1111470:

- put proposed bookworm packages (only) in /path/to/proposed/debs
  (both amd64 and i386 are required)
- run "dpkg-scanpackages --multiversion . > Packages" in that directory
- podman run --rm -it \
      -v /path/to/glib:/mnt/glib:ro -w /mnt/glib \
      -v /path/to/proposed/debs:/mnt/bookworm:ro \
      debian:bookworm-slim debian/tests/manual/1065022.sh
- then repeat, adding argument "1110696"
- exit status should be 0 in both cases, stderr ends with "+ exit 0"

and these pass, even without updating the packages in trixie.

The new autopkgtest debian/patches/1065022-futureproofing also passes 
(tested in autopkgtest-virt-qemu and autopkgtest-virt-lxc on amd64).

The CVEs have no specific test coverage.

[ Risks ]

It's a key package in all desktop environments.

The upstream changes are narrowly-targeted and only fix specific bugs.

The downstream changes are not strictly minimal: I structured them to be 
as easy as possible to review, even if that means a few more lines of 
code. The only differences between the proposed 
debian/libglib2.0-0.postrm.in, and the debian/libglib2.0-0t64.postrm 
in unstable (and proposed for trixie) are:

- unstable uses debhelper's #DEB_HOST_MULTIARCH# substitution, but to
  minimize regression risk this proposed bookworm update is still doing
  its own substitution of #MULTIARCH# using sed;
- some differences in comments to reflect the older package name

Unlike the trixie package, the bookworm package does not need to go 
behind debhelper's back to fix up older packages, so the changes are 
simpler here.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

All changes in debian/patches/ (and glib/) are upstream commits 
to fix the two CVEs. They cherry-picked cleanly from 2.84.x.

debian/patches/glib-gfileutils.c-use-64-bits-for-value-in-get_tmp_file.patch 
was a past bug fix related to what was later reported as CVE-2025-7039. 
Cherry-picking it allows the fix for the CVE, 
debian/patches/gfileutils-fix-computation-of-temporary-file-name.patch, 
to apply cleanly.

debian/patches/gstring-carefully-handle-gssize-parameters.patch was the 
original attempt to fix CVE-2025-4373, but had an important omission, 
fixed by debian/patches/gstring-Make-len_unsigned-unsigned.patch.

All other changes are for #1065022/#1110696. 
debian/patches/1065022-futureproofing is an automated test for this, 
backported from unstable; it's marked as flaky as a precaution because 
it relies on implementation details and might regress in future, but in 
practice it does pass.

[ Other info ]

This will need a d-i ack for the udeb, used in the graphical installer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: glib2.0_2.74.6-2+deb12u7.diff
Type: text/x-diff
Size: 25859 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20250819/ad7d9e93/attachment-0001.diff>

More information about the pkg-gnome-maintainers mailing list