--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock (pre-approval): glib2.0/2.66.8-1
- From: Simon McVittie <smcv@debian.org>
- Date: Sat, 20 Mar 2021 17:08:14 +0000
- Message-id: <YFYr/jbSJOiYLaZ1@momentum.pseudorandom.co.uk>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
I'd like pre-approval to upload glib2.0/2.66.8-1 to unstable.
[ Reason ]
* Sync up with upstream 2.66.8 release, 95% of which we already apply
via debian/patches
* Add an error-handling patch from upstream that they recommended I
consider including when backporting recent security fixes to buster
* Add missing CVE ID references to changelog
[ Impact ]
Using 2.66.8 will make it more obvious that we have the CVE-2021-28153 fix.
The error handling patch (gio/glocalfileoutputstream.c in the diff) is
not critical, but it fixes an oversight in the CVE-2021-28153 fix. If we
don't have it, GLib will attempt to close(-1) under some circumstances,
which is harmless but gets flagged as an error by static analysis
(e.g. Coverity) and debug instrumentation, obscuring more important
issues. Upstream recommended that I include this in backports to buster,
which I probably will unless the security team or SRMs ask me not to.
[ Tests ]
GLib has a large test suite which we run at build time and in
autopkgtests. I run autopkgtests on amd64 and i386 qemu VMs before
each upload.
I haven't done any manual testing on this just yet, but I'll use it on
my GNOME systems for a while before uploading.
[ Risks ]
It's an important key package and used in all our desktops, but the
changes are targeted and obvious.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
(as with the recent mutter and gnome-shell unblocks, to minimize
noise this is a diff between patched trees, excluding the patches
themselves)
[ Other info ]
This is likely to be the last upstream release from the 2.66.x branch,
so any subsequent fixes (security or otherwise) will be back to using
the patch series.
unblock glib2.0/2.66.8-1
--- End Message ---