Bug#1116430: marked as done (glib-networking: CVE-2025-60018)

[Debian Bug Tracking System]

Your message dated Sat, 27 Sep 2025 10:38:40 +0100
with message-id <anewogjhmmka7...@remnant.pseudorandom.co.uk>
and subject line Re: glib-networking: CVE-2025-60018, CVE-2025-60019
has caused the Debian Bug report #1116430,
regarding glib-networking: CVE-2025-60018
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1116430: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116430
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: glib-networking
Version: 2.80.1-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/226
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for glib-networking.

CVE-2025-60018[0]:
| glib-networking's OpenSSL backend fails to properly check the return
| value of a call to BIO_write(), resulting in an out of bounds read.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-60018
    https://www.cve.org/CVERecord?id=CVE-2025-60018
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/226
[2] https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/262
[3] 
https://gitlab.gnome.org/GNOME/glib-networking/-/commit/4dd540505d40babe488404f3174ec39f49a84485

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

On Sat, 27 Sep 2025 at 09:22:02 +0200, Salvatore Bonaccorso wrote:

CVE-2025-60018[0]:
| glib-networking's OpenSSL backend

CVE-2025-60019[0]:
| glib-networking's OpenSSL backend

This is disabled by default upstream and we don't override that in Debian, so I'm fairly sure this doesn't affect us. meson.options.txt says:

# The OpenSSL backend is provided for systems where licensing considerations
# prohibit use of certain dependencies of GnuTLS. General-purpose Linux distros
# should leave it disabled. Please don't second-guess our defaults.

(which I think is an oblique way to say "this is only for distros that
refuse to use GPL-3.0 components").

    smcv

--- End Message ---