Bug#1122984: bookworm-pu: package glib2.0/2.74.6-2+deb12u8
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: glib2.0@packages.debian.org
Control: affects -1 + src:glib2.0
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Following #1122373, this addresses a few no-dsa CVEs for glib/bookworm.
[ Impact ]
There's potential for code execution with maliciously crafted data, although
the integer overflows require very large input data to be triggered, making
the exploitation harder.
[ Tests ]
Ran the test suite, autopkgtests for all rdeps (thanks debusine), and manual
tests on a full VM.
[ Risks ]
The patches are small and the code base is similar enough, so the risk
should be low. There are no unit tests though due to the data size
requirements.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* CVE-2025-13601: integer overflow into heap buffer overflow escaping
very large strings in g_escape_uri_string (Closes: #1121488).
* CVE-2025-14087: buffer overwrite when processing large GVariant strings.
(Closes: #1122347).
* CVE-2025-14512: interger overflow into buffer overwrite when processing
file attributes in GIO's escape_byte_string (Closes: #1122346).
I have already uploaded the package to oldstable-new.
Cheers,
Emilio
Reply to: