Re: Bug#1104976: unblock (pre-approval): glib2.0/2.84.1-3

[Simon McVittie <smcv@debian.org>]

On Fri, 09 May 2025 at 14:57:40 +0200, Sebastian Ramacher wrote:
> > [ Reason ]
> > CVE-2025-4373 (#1104930).
> >
> > I also took the opportunity to catch up with the upstream glib-2-84
> > branch by adding one unrelated bugfix commit (a 1-line change).
> >
> > [ Impact ]
> > Fixes an out-of-bounds write if an attacker can somehow arrange for GLib
> > to be acting on overwhelmingly large strings (half the address space in
> > a single GString object, so 2GB for 32-bit processes).
> >
> > Ensures that localtime_r() is not called without first calling tzset(),
> > which has unspecified behaviour.
> >
> > [ Tests ]
> > Not yet tested. I will run autopkgtests and boot a GNOME system with the
> > proposed GLib before upload, and inform this bug if further changes are
> > needed.
>
> Please feel free to go ahead if your tests were successful and it was
> ACKed by d-i.

My tests were successful.

I don't see my original unblock request in the debian-boot@ web archive 
- perhaps it was discarded by the mailing list software?

-boot: do you want to be consulted on udeb unblocks at this stage of the 
freeze? Please see 
https://lists.debian.org/debian-release/2025/05/msg00301.html for the 
full diff for this one, if that's useful.

Thanks,
    smcv