Bug#1121488: glib#3827, CVE-2025-13601: integer overflow escaping large strings for inclusion in URIs
Simon McVittie
smcv at debian.org
Wed Dec 10 12:04:29 GMT 2025
Control: retitle -1 glib#3827, CVE-2025-13601: integer overflow escaping large strings for inclusion in URIs
Control: found -1 2.0.0-1
On Thu, 27 Nov 2025 at 11:51:38 +0100, Salvatore Bonaccorso wrote:
>CVE-2025-13601[0]:
>| A heap-based buffer overflow problem was found in glib through an
>| incorrect calculation of buffer size in the g_escape_uri_string()
>| function. If the string to escape contains a very large number of
>| unacceptable characters (which would need escaping), the calculation
>| of the length of the escaped string could overflow, leading to a
>| potential write off the end of the newly allocated string.
"Very large" here means the unescaped string we're interpolating into a
URI is at least half a gigabyte, resulting in more than 2 GiB of escaped
text. Interpolating hundreds of MiB of attacker-controlled text into a
URI seems unwise at best, and highly inefficient.
Do I assume correctly that the security team considers this to be
trixie-pu material rather than deserving a DSA or an urgent fix?
I think it would make sense to backport all the arguably-security-fixes
from GLib 2.86.3 to older suites as a batch, rather than individually. I
don't think any of them are urgent.
The only change in 2.86.3 that is not of the form "fix an integer
overflow when handling inadvisably large inputs" is a Windows-specific
bug fix in gio/win32/ which doesn't affect any Debian architecture.
smcv
More information about the pkg-gnome-maintainers
mailing list