-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 Aug 2025 09:27:51 +0100 Source: glib2.0 Binary: libglib2.0-data libglib2.0-doc Architecture: all Version: 2.74.6-2+deb12u7 Distribution: bookworm Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Simon McVittie Description: libglib2.0-data - Common files for GLib library libglib2.0-doc - Documentation files for the GLib library Closes: 1065022 1104930 1110640 1110696 Changes: glib2.0 (2.74.6-2+deb12u7) bookworm; urgency=medium . * d/p/gstring-carefully-handle-gssize-parameters.patch, d/p/gstring-Make-len_unsigned-unsigned.patch: Add patches from upstream to fix a buffer underflow in GString. This could cause a memory overwrite if a program handles extremely large text strings of an attacker-controlled length. The required string length would be close to 2 GiB on 32-bit and the bug is not believed to be practically feasible to exploit on 64-bit. (CVE-2025-4373) (Closes: #1104930) * d/p/glib-gfileutils.c-use-64-bits-for-value-in-get_tmp_file.patch, d/p/gfileutils-fix-computation-of-temporary-file-name.patch: Add patches from upstream to fix a buffer underflow in get_tmp_file(). This is used in g_mkstemp(), g_mkdtemp() and similar functions, and could cause a crash or possibly arbitrary file overwrites (believed to be unlikely to be exploitable in practice) if a long-running program creates more than 2 billion temporary files. (CVE-2025-7039) (Closes: #1110640) * d/libglib2.0-0.postrm.in: Rewrite postrm for safer upgrade behaviour, based on the version in unstable and proposed for inclusion in trixie: - Only remove giomodule.cache during purge, not during remove. This matches the behaviour of gschemas.compiled and avoids a window between old-postrm and new-postinst during which giomodule.cache is missing, breaking applications that need GIO modules. - Don't remove gschemas.compiled or giomodule.cache during purge if there is evidence that they might still be needed (Closes: #1065022, #1110696): + don't remove them if ${libdir}/glib-2.0 still exists, for example provided by libglib2.0-0t64 after upgrading to trixie; + don't remove gschemas.compiled if at least one GSettings schema still exists; + don't remove giomodule.cache if at least one GIO module still exists - Refactoring to support the above * d/tests/1065022-futureproofing: Add a test for #1065022, modified from the version in unstable and proposed for inclusion in trixie Checksums-Sha1: 5b679367e833b41a1f9a86a6b1af9cfc720bb250 8129 glib2.0_2.74.6-2+deb12u7_all-buildd.buildinfo 52b026172f8273cf0736da38d8668ab19a35d08f 1209236 libglib2.0-data_2.74.6-2+deb12u7_all.deb 16dda6c5d2e9a2f324f23e6eb90ee778b64fbfa5 1520424 libglib2.0-doc_2.74.6-2+deb12u7_all.deb Checksums-Sha256: e7b532bd25fe0a1594053e169a0b71936f9fc15f01285f3d1aa8bcc9b2fe3db5 8129 glib2.0_2.74.6-2+deb12u7_all-buildd.buildinfo 15f9df98b5eda9b03fb0c9d67a54b63740126771defd8038245dca29b2a3584f 1209236 libglib2.0-data_2.74.6-2+deb12u7_all.deb bea6403dbd41eef45b579245b624c1f3eac3b5260ef63c3e009a0874f313f582 1520424 libglib2.0-doc_2.74.6-2+deb12u7_all.deb Files: 129ac33f34a21b424555c6bed0cf0918 8129 libs optional glib2.0_2.74.6-2+deb12u7_all-buildd.buildinfo 2e35e527e03852491937e5cab54a604c 1209236 libs optional libglib2.0-data_2.74.6-2+deb12u7_all.deb 9dccda3b0b04517095e4e1ffc114c81c 1520424 doc optional libglib2.0-doc_2.74.6-2+deb12u7_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHqtYLkdKRyCY94K8fUw6/tXbAmMFAmizZU4ACgkQfUw6/tXb AmMJLg/9E6ipZ5blLBu6LQwzYivu6YikFYndwGZm6VDflD9cPQMIezTVFKgXhwB5 0csoUbMGPtTz1XcPdhZfB4swvLVbOmsujIgupEZCoYWboLw/NgghQFp2vcPx5oQW Q9APESH8AK1sp74QgY2ebY0ytQzbf1Qw3/OzUGSuvspiV8jRtQctSdXNTAKR7edF Ktbs6x7P91kJmhSei9raEJFoksRR+AT1QkMUfpeAlK3yKZgBq+8wK+y3MlyPb6xe KDYXbBtWLXU9xkCK7+SBDvgS8aVPX1u7Zwd6V905dHwa/Ot9UYXZ3A/hQHxacgjW beSAtOziiMTg1IdbKkfClC2juLhp77cSYflU8QaBDb/Dlqyuvxf9Jc0Fngv45lG+ Hm6IfKaslpG3GcTXTW6FiNsTpfYF/GtlXwqO93wRwjgBjjBGyE2tXqfiFVfuxXeP zEUUJTj6HaeiF6BfbdjxEKHTVw4VK23djCVmKByL6QoQ7YvMa1P6H7tUovvvZEm9 2Ca8EZIl96FHGBzVfs0HTKxCs/TFONPdYv4GcGyPDjfq+ZlgTEmVWHYKy1LLSP3T +S7P3/md0XLMQtgzffwnf1h5wA2tHFRgP3kZZ45bmd4ffHeycX8bc58eAoXot6Ng pmUfcErHvLy+IHOJTQlsYM9iOvE2rmrTjPynnHK4NWjrm5LoNQM= =mZp1 -----END PGP SIGNATURE-----