Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: glib2.0@packages.debian.org
Control: affects -1 + src:glib2.0
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix low-severity CVEs
[ Impact ]
If software parses inadvisably large amounts of attacker-controlled
GVariant text format (≥ 1 GiB), or escapes inadvisably large
attacker-controlled strings for inclusion in URIs (≥ 0.5 GiB), or loads
inadvisably large attacker-controlled GIO file attributes (≥ 1 GiB),
then an attacker could cause denial of service or possibly arbitrary
code execution.
The security team agrees that these are "no-DSA" issues.
[ Tests ]
The test suite still passes. The fixes are not really feasible to
unit-test since they require allocating (at least) hundreds of MiB of
junk.
A GNOME desktop boots successfully in a virtual machine with the
proposed GLib. I'll test on real hardware before uploading.
[ Risks ]
The patches were reviewed by upstream and are narrowly targeted, so I
think this is fine.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes fix potential integer overflows by making sure to do
address calculations in unsigned size_t space, except for one patch that
adds a fuzzing driver for one of the affected areas.
The attached diff is not finalized and will need a `dch -r`.