Bug#1122373: trixie-pu: package glib2.0/2.84.4-3~deb13u2

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: glib2.0 at packages.debian.org
Control: affects -1 + src:glib2.0
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Fix low-severity CVEs

[ Impact ]
If software parses inadvisably large amounts of attacker-controlled 
GVariant text format (≥ 1 GiB), or escapes inadvisably large 
attacker-controlled strings for inclusion in URIs (≥ 0.5 GiB), or loads 
inadvisably large attacker-controlled GIO file attributes (≥ 1 GiB), 
then an attacker could cause denial of service or possibly arbitrary 
code execution.

The security team agrees that these are "no-DSA" issues.

[ Tests ]
The test suite still passes. The fixes are not really feasible to 
unit-test since they require allocating (at least) hundreds of MiB of 
junk.

A GNOME desktop boots successfully in a virtual machine with the 
proposed GLib. I'll test on real hardware before uploading.

[ Risks ]
The patches were reviewed by upstream and are narrowly targeted, so I 
think this is fine.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes fix potential integer overflows by making sure to do 
address calculations in unsigned size_t space, except for one patch that 
adds a fuzzing driver for one of the affected areas.

The attached diff is not finalized and will need a `dch -r`.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: glib.diff
Type: text/x-diff
Size: 31154 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20251210/29561def/attachment-0001.diff>