Bug#1104976: unblock: glib2.0/2.84.2-1

Simon McVittie smcv at debian.org
Thu May 22 21:45:36 BST 2025 

Control: retitle -1 unblock: glib2.0/2.84.2-1
Control: tags -1 - confirmed

On Fri, 09 May 2025 at 11:08:26 +0100, Simon McVittie wrote:
>[ Reason ]
>CVE-2025-4373 (#1104930).
>
>I also took the opportunity to catch up with the upstream glib-2-84
>branch by adding one unrelated bugfix commit (a 1-line change).

Since then we've had a new upstream release, which I uploaded, in the 
interests of having a simpler diff and a simpler "what version is this?" 
story.

[ Reason ]

CVE-2025-4373 (#1104930) and other upstream bug fixes.

[ Impact ]

Fixes an out-of-bounds write if an attacker can somehow arrange for GLib 
to be acting on overwhelmingly large strings (half the address space in 
a single GString object, so 2GB for 32-bit processes).

Avoids potential negative string offsets in g_get_locale_variants() 
if the input is syntactically invalid (possibly found by fuzz-testing, 
might be claimed to be a security vulnerability if someone is parsing 
untrusted locale names for whatever reason).

Ensures that localtime_r() is not called without first calling tzset(), 
which has unspecified behaviour.

Makes it easier to take subsequent upstream stable releases, which can 
contain security fixes.

[ Tests ]

autopkgtests pass and my GNOME laptop continues to work well.

GLib has a quite thorough test suite in general, but CVE-2025-4373 is
not covered by it, because exploiting the bug requires a huge memory
allocation that will, in practice, usually fail.

[ Risks ]

Low-risk targeted changes.

The changes to glib/tests/utils.c are a bit noisy (changing some 
assertions around) but are purely test code, no impact on normal users 
(and the tests still pass). The additions in fuzzing/ are, again, a bit 
noisy, but I don't think we even compile that part; it certainly doesn't 
have any impact on end-user systems.

[ Checklist ]

   [x] all changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in testing
       (filtered to exclude CI noise and the contents of deleted patches)

[ Other info ]

Needs a d-i ack due to the GTK-based graphical installer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: glib2.0_2.84.2-1.diff
Type: text/x-diff
Size: 23892 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20250522/ef024066/attachment-0001.diff>

More information about the pkg-gnome-maintainers mailing list