[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#982778: libglib2.0-0: GHSL-2021-045: Integer overflow in g_memdup()/g_bytes_new() on 64-bit platforms

Package: libglib2.0-0
Version: 2.31.8-1
Severity: important
Tags: security fixed-upstream
X-Debbugs-Cc: team@security.debian.org, debian-lts@lists.debian.org
Control: close -1 2.66.6-1

Kevin Backhouse of the GitHub Security Lab found an integer overflow in
GLib: <https://gitlab.gnome.org/GNOME/glib/-/issues/2319>. I've requested a
CVE ID. Until then, it's tracked as GHSL-2021-045, or within Debian as

This was accidentally disclosed before a fix existed, and the fixes are not
completely straightforward, leading to the initial fixes in 2.66.6
containing regressions. All of the regressions *that we know of* were fixed
in 2.66.7, but there might be more.

I would recommend that any backports to stable or oldstable are reviewed
carefully before release, preferably by an upstream or downstream GLib
maintainer (which is why I'm cc'ing the LTS team as a request to not
immediately rush into backporting this).

There is a separate integer overflow fixed in 2.66.7 for which I will
report a separate bug.


Reply to: