Bug#1104976: unblock (pre-approval): glib2.0/2.84.1-3
Simon McVittie
smcv at debian.org
Mon May 12 10:20:03 BST 2025
On Fri, 09 May 2025 at 14:57:40 +0200, Sebastian Ramacher wrote:
>> [ Reason ]
>> CVE-2025-4373 (#1104930).
>>
>> I also took the opportunity to catch up with the upstream glib-2-84
>> branch by adding one unrelated bugfix commit (a 1-line change).
>>
>> [ Impact ]
>> Fixes an out-of-bounds write if an attacker can somehow arrange for GLib
>> to be acting on overwhelmingly large strings (half the address space in
>> a single GString object, so 2GB for 32-bit processes).
>>
>> Ensures that localtime_r() is not called without first calling tzset(),
>> which has unspecified behaviour.
>>
>> [ Tests ]
>> Not yet tested. I will run autopkgtests and boot a GNOME system with the
>> proposed GLib before upload, and inform this bug if further changes are
>> needed.
>
>Please feel free to go ahead if your tests were successful and it was
>ACKed by d-i.
My tests were successful.
I don't see my original unblock request in the debian-boot@ web archive
- perhaps it was discarded by the mailing list software?
-boot: do you want to be consulted on udeb unblocks at this stage of the
freeze? Please see
https://lists.debian.org/debian-release/2025/05/msg00301.html for the
full diff for this one, if that's useful.
Thanks,
smcv
More information about the pkg-gnome-maintainers
mailing list