Bug#1122984: marked as done (bookworm-pu: package glib2.0/2.74.6-2+deb12u8)

Sat, 10 Jan 2026 04:13:03 -0800 

Your message dated Sat, 10 Jan 2026 11:59:45 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1122984,
regarding bookworm-pu: package glib2.0/2.74.6-2+deb12u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1122984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:glib2.0
User: [email protected]
Usertags: pu

[ Reason ]
Following #1122373, this addresses a few no-dsa CVEs for glib/bookworm.

[ Impact ]
There's potential for code execution with maliciously crafted data, although
the integer overflows require very large input data to be triggered, making
the exploitation harder.

[ Tests ]
Ran the test suite, autopkgtests for all rdeps (thanks debusine), and manual
tests on a full VM.

[ Risks ]
The patches are small and the code base is similar enough, so the risk
should be low. There are no unit tests though due to the data size
requirements.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
 * CVE-2025-13601: integer overflow into heap buffer overflow escaping
   very large strings in g_escape_uri_string (Closes: #1121488).
 * CVE-2025-14087: buffer overwrite when processing large GVariant strings.
   (Closes: #1122347).
 * CVE-2025-14512: interger overflow into buffer overwrite when processing
   file attributes in GIO's escape_byte_string (Closes: #1122346).

I have already uploaded the package to oldstable-new.

Cheers,
Emilio

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as 
part of Debian 12.13.

--- End Message ---

Reply via email to