Bug#1107843: unblock: glib2.0/2.84.3-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1107843: unblock: glib2.0/2.84.3-1
From: Simon McVittie <smcv@debian.org>
Date: Sun, 15 Jun 2025 16:04:09 +0100
Message-id: <[🔎] aE7g6acfQucbJTbj@remnant.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 1107843@bugs.debian.org

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: glib2.0@packages.debian.org
Control: affects -1 + src:glib2.0
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package glib2.0

[ Reason ]
Fix CVE-2025-6052

[ Impact ]
If not accepted, automated vulnerability scanners will warn about an 
unfixed vulnerability, and there could conceivably be a program in which 
an attacker can trigger a buffer overflow (although it seems unlikely; 
the failure scenario is rather contrived, and involves using up the entire 
address space for text strings).

I took the opportunity to fix a minor documentation bug (outdated 
Homepage field).

[ Tests ]
The automated test suite is fairly comprehensive and still passes (at 
build-time and as an autopkgtest). There is no coverage for 
CVE-2025-6052, because it would have to involve allocating multiple 
gigabytes of memory even on 32-bit.

My GNOME desktop still operates normally.

[ Risks ]
Key package in most (all?) of our desktop environments, but the changes 
are very narrowly targeted.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock glib2.0/2.84.3-1

diffstat for glib2.0-2.84.2 glib2.0-2.84.3

 NEWS             |    8 ++++++++
 debian/changelog |   11 +++++++++++
 debian/control   |    2 +-
 glib/gstring.c   |    8 ++++----
 meson.build      |    2 +-
 5 files changed, 25 insertions(+), 6 deletions(-)

diff -Nru glib2.0-2.84.2/debian/changelog glib2.0-2.84.3/debian/changelog
--- glib2.0-2.84.2/debian/changelog	2025-05-22 17:25:42.000000000 +0100
+++ glib2.0-2.84.3/debian/changelog	2025-06-15 12:12:51.000000000 +0100
@@ -1,3 +1,14 @@
+glib2.0 (2.84.3-1) unstable; urgency=medium
+
+  * New upstream stable release
+    - Move an ineffective string length overflow check to a location where it
+      will be effective, fixing a possible buffer overflow when working with
+      multi-gigabyte strings (CVE-2025-6052, Closes: #1107797; unlikely to be
+      exploitable in practice)
+  * d/control: Update Homepage (Closes: #1087982)
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 15 Jun 2025 12:12:51 +0100
+
 glib2.0 (2.84.2-1) unstable; urgency=medium
 
   * New upstream stable release
diff -Nru glib2.0-2.84.2/debian/control glib2.0-2.84.3/debian/control
--- glib2.0-2.84.2/debian/control	2025-05-22 17:25:42.000000000 +0100
+++ glib2.0-2.84.3/debian/control	2025-06-15 12:12:51.000000000 +0100
@@ -49,7 +49,7 @@
  gobject-introspection (>= 1.80.0) <!nodoc>,
 Rules-Requires-Root: no
 Standards-Version: 4.7.0
-Homepage: https://wiki.gnome.org/Projects/GLib
+Homepage: https://gitlab.gnome.org/GNOME/glib
 Vcs-Browser: https://salsa.debian.org/gnome-team/glib
 Vcs-Git: https://salsa.debian.org/gnome-team/glib.git
 
diff -Nru glib2.0-2.84.2/glib/gstring.c glib2.0-2.84.3/glib/gstring.c
--- glib2.0-2.84.2/glib/gstring.c	2025-05-20 17:22:25.000000000 +0100
+++ glib2.0-2.84.3/glib/gstring.c	2025-06-13 12:55:59.000000000 +0100
@@ -68,10 +68,6 @@
 g_string_expand (GString *string,
                  gsize    len)
 {
-  /* Detect potential overflow */
-  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
-    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
-
   string->allocated_len = g_nearest_pow (string->len + len + 1);
   /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
    * memory for this string and don't over-allocate.
@@ -86,6 +82,10 @@
 g_string_maybe_expand (GString *string,
                        gsize    len)
 {
+  /* Detect potential overflow */
+  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+
   if (G_UNLIKELY (string->len + len >= string->allocated_len))
     g_string_expand (string, len);
 }
diff -Nru glib2.0-2.84.2/meson.build glib2.0-2.84.3/meson.build
--- glib2.0-2.84.2/meson.build	2025-05-20 17:22:25.000000000 +0100
+++ glib2.0-2.84.3/meson.build	2025-06-13 12:55:59.000000000 +0100
@@ -1,5 +1,5 @@
 project('glib', 'c',
-  version : '2.84.2',
+  version : '2.84.3',
   # NOTE: See the policy in docs/meson-version.md before changing the Meson dependency
   meson_version : '>= 1.4.0',
   default_options : [
diff -Nru glib2.0-2.84.2/NEWS glib2.0-2.84.3/NEWS
--- glib2.0-2.84.2/NEWS	2025-05-20 17:22:25.000000000 +0100
+++ glib2.0-2.84.3/NEWS	2025-06-13 12:55:59.000000000 +0100
@@ -1,3 +1,11 @@
+Overview of changes in GLib 2.84.3, 2025-06-13
+==============================================
+
+* Bugs fixed:
+  - !4656 Backport !4655 “gstring: Fix overflow check when expanding the string”
+    to glib-2-84
+
+
 Overview of changes in GLib 2.84.2, 2025-05-20
 ==============================================

Reply to:

Follow-Ups:
- Processed: unblock: glib2.0/2.84.3-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1107843: marked as done (unblock: glib2.0/2.84.3-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: glib2.0/2.84.3-1
Next by Date: Bug#1106777: gnupg2 not binNMu safe in bookworm (was: Re: Bug#1106777: gnupg2 2.2.40-1.1+b4 flagged for acceptance)
Previous by thread: Processed: forcibly merging 1107840 1107841
Next by thread: Processed: unblock: glib2.0/2.84.3-1
Index(es):
- Date
- Thread