[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1104976: unblock (pre-approval): glib2.0/2.84.1-3

Control: tags -1 confirmed

On 2025-05-09 11:08:26 +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> Tags: 
> X-Debbugs-Cc: glib2.0@packages.debian.org, debian-boot@lists.debian.org
> Control: affects -1 + src:glib2.0
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> [ Reason ]
> CVE-2025-4373 (#1104930).
> 
> I also took the opportunity to catch up with the upstream glib-2-84 
> branch by adding one unrelated bugfix commit (a 1-line change).
> 
> [ Impact ]
> Fixes an out-of-bounds write if an attacker can somehow arrange for GLib 
> to be acting on overwhelmingly large strings (half the address space in 
> a single GString object, so 2GB for 32-bit processes).
> 
> Ensures that localtime_r() is not called without first calling tzset(), 
> which has unspecified behaviour.
> 
> [ Tests ]
> Not yet tested. I will run autopkgtests and boot a GNOME system with the 
> proposed GLib before upload, and inform this bug if further changes are 
> needed.

Please feel free to go ahead if your tests were successful and it was
ACKed by d-i.

Cheers
-- 
Sebastian Ramacher
Reply to: