Your message dated Sat, 10 Feb 2024 13:02:55 +0000 with message-id <E1rYn0R-002xp3-AV@coccia.debian.org> and subject line Released with 11.9 has caused the Debian Bug report #1053307, regarding bullseye-pu: package glib2.0/2.66.8-1+deb11u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1053307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053307 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package glib2.0/2.66.8-1+deb11u1
- From: Simon McVittie <smcv@debian.org>
- Date: Sun, 1 Oct 2023 11:52:25 +0100
- Message-id: <ZRlPaZIz4Ns16pWO@tautology.pseudorandom.co.uk>
Package: release.debian.org Severity: normal Tags: bullseye d-i User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: glib2.0@packages.debian.org, debian-gtk-gnome@lists.debian.org Control: affects -1 + src:glib2.0 I would like to update glib2.0 in Debian 11.9. We're too close to the 11.8 deadline for an update with this size of diffstat, so I'd like to upload it to bullseye-proposed-updates shortly after 11.8 is out, to give it the maximum amount of review and testing possible. glib2.0 has a udeb and is actively used in the graphical installer, so this will need a d-i ack, either before upload or before acceptance. [ Reason ] Fix denial of service vulnerabilities when parsing untrusted GVariant data, either in binary form (CVE-2023-32665, CVE-2023-32611, CVE-2023-29499, which were marked as no-dsa by the security team) or in text form (no CVEs for these, I don't think the GLib maintainers consider parsing GVariant text notation to be a valid thing to do with untrusted input). The vulnerabilities with CVEs were already fixed in Debian 10 LTS. The issues without CVEs were not fixed in Debian 10 LTS, but I think fixing them will give us a lower regression risk as well as more bug fixes. [ Impact ] If not fixed, anything that parses untrusted data in GVariant format will be subject to denial of service attacks, and the LTS team will presumably backport the same changes into Debian 11 LTS in a less complete form with (IMO) a higher risk of regressions. Flatpak and ostree parse trusted or at least semi-trusted data in GVariant format, so they will be subject to this denial of service, but it isn't urgent to fix (the integrity of GVariant data they process is protected by PGP signatures and/or https, and it rarely makes sense to access a completely untrusted ostree repository). I don't currently know of any software in Debian that parses totally untrusted GVariant data. [ Tests ] A test-build that differs only in its changelog and version number can be downloaded from: https://people.debian.org/~smcv/11.9/pool/main/g/glib2.0/ GLib's automated test suite passes (dh_auto_test and autopkgtest on both amd64 and i386), and new coverage for several of the issues fixed here accounts for around 30% of the diff. There were no obvious regressions in a Debian 11 GNOME VM. I'll try this on one of my work test machines before upload, but I no longer have any bullseye machines in production use, so I can only do this on a test installation that is not used day-to-day. Any further testing that bullseye users can provide would be appreciated. [ Risks ] The diffstat is considerable, but I have tried to minimize the risk by backporting *all* GVariant fixes from the version we ship in Debian 12, and verifying that the only remaining non-comment differences in `glib/gvariant*` between Debian 12 and this version are inclusion of some compatibility headers. This means that if there were regressions caused by these changes, we should already have seen them in Debian 12 (we haven't). Also, if regressions are discovered in this area in future, their fixes should backport cleanly from Debian 12. The initial versions of the denial-of-service fixes introduced a more serious vulnerability (a buffer overflow, CVE-2023-32643) and some bugs (a crash on big-endian architectures, and another denial of service detected by a fuzzer). I have made sure to backport the fixes for those too. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable (and stable) [ Changes ] po/hr.po is (obviously) a translation update, from upstream. All other changes are for the denial of service vulnerabilities, or are small bug fixes in the same module which I have backported in order to minimize risk. All changes are straightforward cherry-picks from upstream via Debian 12's GLib 2.74.x, except for the translation update, which was applied to upstream's 2.66.x branch after its final point release, and "debian/patches/Exclude-g_variant_maybe_get_child_value-from-API-document.patch", which adjusts the content of a doc-comment to prevent a documentation check from causing FTFBS (no changes to the actual code). [ Other info ] For my reference, this proposed version is https://salsa.debian.org/gnome-team/glib/-/merge_requests/26 v1. Thanks, smcvAttachment: glib2.0_2.66.8-1+deb11u1_f2310192.diff.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
- To: 1053307-done@bugs.debian.org
- Subject: Released with 11.9
- From: Jonathan Wiltshire <jmw@coccia.debian.org>
- Date: Sat, 10 Feb 2024 13:02:55 +0000
- Message-id: <E1rYn0R-002xp3-AV@coccia.debian.org>
Version: 11.9 The upload requested in this bug has been released as part of 11.9.
--- End Message ---