* Gökalp Çelik <[email protected]> [2021-02-10 15:50]: > I tested with 2.66.4 package from bullseye and package-update-indicator > came back however those older packages also suffer from a vulnerability > that later sid packages don't. So it seems that there is a problem with > package-update-indicator implementation as well.
No, there isn't. This is one of many rather trivial bugs introduced by the glib maintainers switch to g_memdup2(). In particular, this crash is caused by a missing NULL-pointer check and subsequent pointer arithmetic resulting in an integer overflow. It was introduced in https://gitlab.gnome.org/GNOME/glib/-/commit/ba8ca443051f93a74c0d03d62e70402036f967a5 Note the missing NULL-pointer check before line 187. -- Guido Berhoerster
