Control: tags -1 confirmed On 2025-05-09 11:08:26 +0100, Simon McVittie wrote: > Package: release.debian.org > Severity: normal > Tags: > X-Debbugs-Cc: glib...@packages.debian.org, debian-b...@lists.debian.org > Control: affects -1 + src:glib2.0 > User: release.debian....@packages.debian.org > Usertags: unblock > > [ Reason ] > CVE-2025-4373 (#1104930). > > I also took the opportunity to catch up with the upstream glib-2-84 > branch by adding one unrelated bugfix commit (a 1-line change). > > [ Impact ] > Fixes an out-of-bounds write if an attacker can somehow arrange for GLib > to be acting on overwhelmingly large strings (half the address space in > a single GString object, so 2GB for 32-bit processes). > > Ensures that localtime_r() is not called without first calling tzset(), > which has unspecified behaviour. > > [ Tests ] > Not yet tested. I will run autopkgtests and boot a GNOME system with the > proposed GLib before upload, and inform this bug if further changes are > needed.
Please feel free to go ahead if your tests were successful and it was ACKed by d-i. Cheers -- Sebastian Ramacher
