Control: retitle -1 glib#3827, CVE-2025-13601: integer overflow escaping large strings for inclusion in URIs Control: found -1 2.0.0-1 On Thu, 27 Nov 2025 at 11:51:38 +0100, Salvatore Bonaccorso wrote:
CVE-2025-13601[0]: | A heap-based buffer overflow problem was found in glib through an | incorrect calculation of buffer size in the g_escape_uri_string() | function. If the string to escape contains a very large number of | unacceptable characters (which would need escaping), the calculation | of the length of the escaped string could overflow, leading to a | potential write off the end of the newly allocated string.
"Very large" here means the unescaped string we're interpolating into a URI is at least half a gigabyte, resulting in more than 2 GiB of escaped text. Interpolating hundreds of MiB of attacker-controlled text into a URI seems unwise at best, and highly inefficient.
Do I assume correctly that the security team considers this to be trixie-pu material rather than deserving a DSA or an urgent fix?
I think it would make sense to backport all the arguably-security-fixes from GLib 2.86.3 to older suites as a batch, rather than individually. I don't think any of them are urgent.
The only change in 2.86.3 that is not of the form "fix an integer overflow when handling inadvisably large inputs" is a Windows-specific bug fix in gio/win32/ which doesn't affect any Debian architecture.
smcv