Package: libglib2.0-0 Version: 2.74.6-2+deb12u4 Severity: important Tags: bookworm security upstream X-Debbugs-Cc: t...@security.debian.org, debian-...@lists.debian.org
https://security-tracker.debian.org/tracker/CVE-2024-52533 > gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one > error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not > sufficient for a trailing '\0' character. This was fixed upstream in 2.82.1, so trixie is unaffected. A mitigation is that the relevant code path is (presumably) only used when a client system is configured to connect via a SOCKS4a proxy, which appear to be sufficiently rare that upstream were not able to test the change against a real proxy server. Does the security team intend to do a DSA for this, or is this being left until the next 12.x stable update? I believe Debian 11 is also vulnerable; LTS team cc'd for visibility. The security-tracker page says: > check if has impact on embedded copy in src:gobject-introspection The answer to that is: no, the embedded copy in src:gobject-introspection is only there to satisfy a particularly completionist interpretation of the requirement to include source code, and is not actually compiled or used. smcv
