Bug#1116429: marked as done (glib-networking: CVE-2025-60019)

[Debian Bug Tracking System]

Your message dated Sat, 27 Sep 2025 10:38:40 +0100
with message-id <anewogjhmmka7...@remnant.pseudorandom.co.uk>
and subject line Re: glib-networking: CVE-2025-60018, CVE-2025-60019
has caused the Debian Bug report #1116429,
regarding glib-networking: CVE-2025-60019
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1116429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: glib-networking
Version: 2.80.1-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/227
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for glib-networking.

CVE-2025-60019[0]:
| glib-networking's OpenSSL backend fails to properly check the return
| value of memory allocation routines. An out of memory condition
| could potentially result in writing to an invalid memory location.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-60019
    https://www.cve.org/CVERecord?id=CVE-2025-60019
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/227
[2] https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/263
[3] 
https://gitlab.gnome.org/GNOME/glib-networking/-/commit/70df675dd4f5e4a593b2f95406c1aac031aa8bc7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

On Sat, 27 Sep 2025 at 09:22:02 +0200, Salvatore Bonaccorso wrote:

CVE-2025-60018[0]:
| glib-networking's OpenSSL backend

CVE-2025-60019[0]:
| glib-networking's OpenSSL backend

This is disabled by default upstream and we don't override that in Debian, so I'm fairly sure this doesn't affect us. meson.options.txt says:

# The OpenSSL backend is provided for systems where licensing considerations
# prohibit use of certain dependencies of GnuTLS. General-purpose Linux distros
# should leave it disabled. Please don't second-guess our defaults.

(which I think is an oblique way to say "this is only for distros that
refuse to use GPL-3.0 components").

    smcv

--- End Message ---