[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053307: marked as done (bullseye-pu: package glib2.0/2.66.8-1+deb11u1)

Your message dated Sat, 10 Feb 2024 13:02:55 +0000
with message-id <E1rYn0R-002xp3-AV@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1053307,
regarding bullseye-pu: package glib2.0/2.66.8-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1053307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053307
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glib2.0@packages.debian.org, debian-gtk-gnome@lists.debian.org
Control: affects -1 + src:glib2.0

I would like to update glib2.0 in Debian 11.9. We're too close to the
11.8 deadline for an update with this size of diffstat, so I'd like
to upload it to bullseye-proposed-updates shortly after 11.8 is out,
to give it the maximum amount of review and testing possible.

glib2.0 has a udeb and is actively used in the graphical installer,
so this will need a d-i ack, either before upload or before acceptance.

[ Reason ]
Fix denial of service vulnerabilities when parsing untrusted
GVariant data, either in binary form (CVE-2023-32665, CVE-2023-32611,
CVE-2023-29499, which were marked as no-dsa by the security team) or
in text form (no CVEs for these, I don't think the GLib maintainers
consider parsing GVariant text notation to be a valid thing to do with
untrusted input).

The vulnerabilities with CVEs were already fixed in Debian 10 LTS. The
issues without CVEs were not fixed in Debian 10 LTS, but I think fixing
them will give us a lower regression risk as well as more bug fixes.

[ Impact ]
If not fixed, anything that parses untrusted data in GVariant format will
be subject to denial of service attacks, and the LTS team will presumably
backport the same changes into Debian 11 LTS in a less complete form with
(IMO) a higher risk of regressions.

Flatpak and ostree parse trusted or at least semi-trusted data in GVariant
format, so they will be subject to this denial of service, but it isn't
urgent to fix (the integrity of GVariant data they process is protected
by PGP signatures and/or https, and it rarely makes sense to access a
completely untrusted ostree repository). I don't currently know of any
software in Debian that parses totally untrusted GVariant data.

[ Tests ]
A test-build that differs only in its changelog and version number can be
downloaded from: https://people.debian.org/~smcv/11.9/pool/main/g/glib2.0/

GLib's automated test suite passes (dh_auto_test and autopkgtest on both
amd64 and i386), and new coverage for several of the issues fixed here
accounts for around 30% of the diff.

There were no obvious regressions in a Debian 11 GNOME VM. I'll try this
on one of my work test machines before upload, but I no longer have any
bullseye machines in production use, so I can only do this on a test
installation that is not used day-to-day.

Any further testing that bullseye users can provide would be appreciated.

[ Risks ]
The diffstat is considerable, but I have tried to minimize the risk by
backporting *all* GVariant fixes from the version we ship in Debian 12,
and verifying that the only remaining non-comment differences in
`glib/gvariant*` between Debian 12 and this version are inclusion of
some compatibility headers. This means that if there were regressions
caused by these changes, we should already have seen them in Debian 12
(we haven't). Also, if regressions are discovered in this area in future,
their fixes should backport cleanly from Debian 12.

The initial versions of the denial-of-service fixes introduced a more
serious vulnerability (a buffer overflow, CVE-2023-32643) and some bugs
(a crash on big-endian architectures, and another denial of service
detected by a fuzzer). I have made sure to backport the fixes for those too.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable (and stable)

[ Changes ]
po/hr.po is (obviously) a translation update, from upstream.

All other changes are for the denial of service vulnerabilities, or are
small bug fixes in the same module which I have backported in order to
minimize risk.

All changes are straightforward cherry-picks from upstream via
Debian 12's GLib 2.74.x, except for the translation update, which was
applied to upstream's 2.66.x branch after its final point release, and
"debian/patches/Exclude-g_variant_maybe_get_child_value-from-API-document.patch",
which adjusts the content of a doc-comment to prevent a documentation
check from causing FTFBS (no changes to the actual code).

[ Other info ]
For my reference, this proposed version is
https://salsa.debian.org/gnome-team/glib/-/merge_requests/26 v1.

Thanks,
    smcv

Attachment: glib2.0_2.66.8-1+deb11u1_f2310192.diff.gz
Description: application/gzip


--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: