Bug#1104976: unblock (pre-approval): glib2.0/2.84.1-3
Control: tags -1 confirmed
On 2025-05-09 11:08:26 +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> Tags:
> X-Debbugs-Cc: glib2.0@packages.debian.org, debian-boot@lists.debian.org
> Control: affects -1 + src:glib2.0
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> [ Reason ]
> CVE-2025-4373 (#1104930).
>
> I also took the opportunity to catch up with the upstream glib-2-84
> branch by adding one unrelated bugfix commit (a 1-line change).
>
> [ Impact ]
> Fixes an out-of-bounds write if an attacker can somehow arrange for GLib
> to be acting on overwhelmingly large strings (half the address space in
> a single GString object, so 2GB for 32-bit processes).
>
> Ensures that localtime_r() is not called without first calling tzset(),
> which has unspecified behaviour.
>
> [ Tests ]
> Not yet tested. I will run autopkgtests and boot a GNOME system with the
> proposed GLib before upload, and inform this bug if further changes are
> needed.
Please feel free to go ahead if your tests were successful and it was
ACKed by d-i.
Cheers
--
Sebastian Ramacher
Reply to: