-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 Aug 2025 09:27:51 +0100 Source: glib2.0 Architecture: source Version: 2.74.6-2+deb12u7 Distribution: bookworm Urgency: medium Maintainer: Debian GNOME Maintainers Changed-By: Simon McVittie Closes: 1065022 1104930 1110640 1110696 Changes: glib2.0 (2.74.6-2+deb12u7) bookworm; urgency=medium . * d/p/gstring-carefully-handle-gssize-parameters.patch, d/p/gstring-Make-len_unsigned-unsigned.patch: Add patches from upstream to fix a buffer underflow in GString. This could cause a memory overwrite if a program handles extremely large text strings of an attacker-controlled length. The required string length would be close to 2 GiB on 32-bit and the bug is not believed to be practically feasible to exploit on 64-bit. (CVE-2025-4373) (Closes: #1104930) * d/p/glib-gfileutils.c-use-64-bits-for-value-in-get_tmp_file.patch, d/p/gfileutils-fix-computation-of-temporary-file-name.patch: Add patches from upstream to fix a buffer underflow in get_tmp_file(). This is used in g_mkstemp(), g_mkdtemp() and similar functions, and could cause a crash or possibly arbitrary file overwrites (believed to be unlikely to be exploitable in practice) if a long-running program creates more than 2 billion temporary files. (CVE-2025-7039) (Closes: #1110640) * d/libglib2.0-0.postrm.in: Rewrite postrm for safer upgrade behaviour, based on the version in unstable and proposed for inclusion in trixie: - Only remove giomodule.cache during purge, not during remove. This matches the behaviour of gschemas.compiled and avoids a window between old-postrm and new-postinst during which giomodule.cache is missing, breaking applications that need GIO modules. - Don't remove gschemas.compiled or giomodule.cache during purge if there is evidence that they might still be needed (Closes: #1065022, #1110696): + don't remove them if ${libdir}/glib-2.0 still exists, for example provided by libglib2.0-0t64 after upgrading to trixie; + don't remove gschemas.compiled if at least one GSettings schema still exists; + don't remove giomodule.cache if at least one GIO module still exists - Refactoring to support the above * d/tests/1065022-futureproofing: Add a test for #1065022, modified from the version in unstable and proposed for inclusion in trixie Checksums-Sha1: 7e87a5355160d75d5b083ea0ed835c044e40f420 3791 glib2.0_2.74.6-2+deb12u7.dsc 5d316c12b5871be5a1c3ef9e253db2b3720d847b 146116 glib2.0_2.74.6-2+deb12u7.debian.tar.xz ee8543bacb02e54476e93938cbb648240eb17231 7617 glib2.0_2.74.6-2+deb12u7_source.buildinfo Checksums-Sha256: 066362edce4b07892c9be16a45c4c622e40d6db150c184d18f11a952db5bac88 3791 glib2.0_2.74.6-2+deb12u7.dsc 60c9115898dab3f6553ccc5f928a689117486b2b62639e09c8dc52b9d0fd6396 146116 glib2.0_2.74.6-2+deb12u7.debian.tar.xz 279a62c30dc5b75e609e6d55ac18af99a7e7b9ec8d8722cca872cb00e3954dcb 7617 glib2.0_2.74.6-2+deb12u7_source.buildinfo Files: 1968c94b6473602ab7708d1e4fd98c9b 3791 libs optional glib2.0_2.74.6-2+deb12u7.dsc a8c585d345c0713a083541d186586b7d 146116 libs optional glib2.0_2.74.6-2+deb12u7.debian.tar.xz d55f9fb481ac7bdb7c0741ffc8f551f9 7617 libs optional glib2.0_2.74.6-2+deb12u7_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmiq4rcACgkQI1wJnT6z MHaE4xAAie5E/5qRBMMvgWymRJGnz9qeiDaHPkXgPhps6cX0/cmh0mTohe+bFHRk qP/Rtzkmn4bFhDE950VGOHpagnr0bIarpi++DckG3ZKEjetl8Fx8RLP992ZOHkI+ ym+XFaXKaGQNxAbQAdOb/TvMknuV56cqfIRyV8QD0AdHj4NyDhK782m04A/qwfhb 4pPGh4Ih0o1Z83I7cey2RVlRoYuZLDOkknS6AhAMb0sL/2oRXre+Twl2aObVJZQc S4nRYAKooL0TK8uU6Z/AOEd0AIEWzDgc2AaWDC3Ae6z5L/fpzkpiUyZzBIB73hR1 XcguYILghrzrf3hL+8TI8anG2KYRIO2mJK73+11Fe4JUBmva/dPrI2jAjBsa679R hY4RXi25na5g+srvf7QPTMypqGviSazUZpDAVHYTVDeHg+rguU+FmkZglHfkl5Yz 9D0Dsr6oMrF0PR48sdJdnx6AzSisHgHfDJynIRXILZVpkbn4RgOkHMZInI1yxwYs cqipzA8OmADlZ+OrQPxZRcTdglLvNm+op6IiMpUxwmvGXIwYBZwTwS2Y3Yn980bo zbBOAvtc/PmIn9VnrXXrUsFYHkNfzIj/9XSfEr3Dwaf9LNt11o4hMa66DgFNUapL TcdMzKjr/jXd8VkoM3tIdQLM46a0tk05sGzXobbgsPEGaxDafuQ= =1ZvG -----END PGP SIGNATURE-----