Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
I'd like pre-approval to upload glib2.0/2.66.8-1 to unstable. [ Reason ] * Sync up with upstream 2.66.8 release, 95% of which we already apply via debian/patches * Add an error-handling patch from upstream that they recommended I consider including when backporting recent security fixes to buster * Add missing CVE ID references to changelog [ Impact ] Using 2.66.8 will make it more obvious that we have the CVE-2021-28153 fix. The error handling patch (gio/glocalfileoutputstream.c in the diff) is not critical, but it fixes an oversight in the CVE-2021-28153 fix. If we don't have it, GLib will attempt to close(-1) under some circumstances, which is harmless but gets flagged as an error by static analysis (e.g. Coverity) and debug instrumentation, obscuring more important issues. Upstream recommended that I include this in backports to buster, which I probably will unless the security team or SRMs ask me not to. [ Tests ] GLib has a large test suite which we run at build time and in autopkgtests. I run autopkgtests on amd64 and i386 qemu VMs before each upload. I haven't done any manual testing on this just yet, but I'll use it on my GNOME systems for a while before uploading. [ Risks ] It's an important key package and used in all our desktops, but the changes are targeted and obvious. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing (as with the recent mutter and gnome-shell unblocks, to minimize noise this is a diff between patched trees, excluding the patches themselves) [ Other info ] This is likely to be the last upstream release from the 2.66.x branch, so any subsequent fixes (security or otherwise) will be back to using the patch series. unblock glib2.0/2.66.8-1