XPost: linux.debian.devel.release
From: andreas@fatal.se
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: glib2.0@packages.debian.org
Control: affects -1 + src:glib2.0
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
A number of security issues has been identified in glib (src:glib2.0).
As part of the Debian LTS efforts, I've taken responsibility to address
these in bullseye (LTS) and while doing so I've offered the Debian Gnome
Team to also handle these issues in stable (trixie) and old-stable
(bookworm) which was on their todo list.
While discussing this with Debian Gnome Team they also asked to adress
#1119919 which is a timezone parsing issue, which I thus also included
the patch for.
[ Impact ]
This update mainly addresses security issues that is on the Debian LTS
Security Team radar. It includes an additional fix for a timezone
parsing issue, as requested by the Debian Gnome Team.
[ Tests ]
The shipped tests in the package passes. Including newly added
tests in CVE-2026-1489-4.patch and CVE-2026-0988.patch
[ Risks ]
All changes has already been shipped in unstable/testing without issues.
The fixes have been cherry-picked from upstream.
The risk of regressions in this update should be low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- #1119919 : timezone parsing fix
- #1125752 : CVE-2026-0988
- #1126551 : CVE-2026-1484
- #1126550 : CVE-2026-1485
- #1126549 : CVE-2026-1489
See also debian/changelog and security-tracker.debian.org
[ Other info ]
I have also filed a similar issue for SPU (trixie) with the same
patches.
Regards,
Andreas Henriksson
diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog 2025-12-15 15:29:38.000000000 +0100
+++ glib2.0-2.74.6/debian/changelog 2026-02-13 12:35:33.000000000 +0100
@@ -1,3 +1,19 @@
+glib2.0 (2.74.6-2+deb12u9) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Add patch to fix timezone handling with Debian & Ubuntu's symlinks
+ (Closes: #1119919) (LP: #2130378)
+ * CVE-2026-0988: Missing input validation in g_buffered_input_stream_peek
+ (Closes: #1125752)
+ * CVE-2026-1484: Integer overflow in base64 encoding can cause memory
corruption.
+ (Closes: #1126551)
+ * CVE-2026-1485: Buffer underflow vulnerability in content type parsing
+ caused by (signed) integer wrap for large inputs. (Closes: #1126550)
+ * CVE-2026-1489: Integer overflow in unicode conversion
+ can lead to memory corruption. (Closes: #1126549)
+
+ -- Andreas Henriksson Fri, 13 Feb 2026 12:35:33 +0100
+
glib2.0 (2.74.6-2+deb12u8) bookworm; urgency=medium
* Team upload.
diff -Nru glib2.0-2.74.6/debian/patches/CVE-2026-0988.patch glib
.0-2.74.6/debian/patches/CVE-2026-0988.patch
--- glib2.0-2.74.6/debian/patches/CVE-2026-0988.patch 1970-01-01
01:00:00.000000000 +0100
+++ glib2.0-2.74.6/debian/patches/CVE-2026-0988.patch 2026-02-13
12:35:33.000000000 +0100
@@ -0,0 +1,53 @@
+From: Philip Withnall
+Date: Thu, 18 Dec 2025 23:12:18 +0000
+Subject: gbufferedinputstream: Fix a potential integer overflow in peek()
+
+If the caller provides `offset` and `count` arguments which overflow,
+their sum will overflow and could lead to `memcpy()` reading out more
+memory than expected.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall
+
+Fixes: #3851
+(cherry picked from commit c5766cff61ffce0b8e787eae09908ac348338e5f)
+---
+ gio/gbufferedinputstream.c | 2 +-
+ gio/tests/buffered-input-stream.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
+index 55450ce..56f5ece 100644
+--- a/gio/gbufferedinputstream.c
++++ b/gio/gbufferedinputstream.c
+@@ -590,7 +590,7 @@ g_buffered_input_stream_peek (GBufferedInputStream
*stream,
+
+ available = g_buffered_input_stream_get_available (stream);
+
+- if (offset > available)
++ if (offset > available || offset > G_MAXSIZE - count)
+ return 0;
+
+ end = MIN (offset + count, available);
+diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buff
red-input-stream.c
+index ee084b3..39b4daf 100644
+--- a/gio/tests/buffered-input-stream.c
++++ b/gio/tests/buffered-input-stream.c
+@@ -58,6 +58,16 @@ test_peek (void)
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
++ buffer = g_new0 (char, 64);
++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in),
buffer, 8, 0);
++ g_assert_cmpint (npeek, ==, 0);
++ g_free (buffer);
++
++ buffer = g_new0 (char, 64);
++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in),
buffer, 5, G_MAXSIZE);
++ g_assert_cmpint (npeek, ==, 0);
++ g_free (buffer);
++
+ g_object_unref (in);
+ g_object_unref (base);
+ }
diff -Nru glib2.0-2.74.6/debian/patches/CVE-2026-1484-1.patch gl
b2.0-2.74.6/debian/patches/CVE-2026-1484-1.patch
--- glib2.0-2.74.6/debian/patches/CVE-2026-1484-1.patch 1970-01-01
01:00:00.000000000 +0100
+++ glib2.0-2.74.6/debian/patches/CVE-2026-1484-1.patch 2026-02-13
12:35:33.000000000 +0100
@@ -0,0 +1,43 @@
+From: Marco Trevisan
+Date: Fri, 23 Jan 2026 18:48:30 +0100
+Subject: gbase64: Use gsize to prevent potential overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Both g_base64_encode_step() and g_base64_encode_close() return gsize
+values, but these are summed to an int value.
+
+If the sum of these returned values is bigger than MAXINT, we overflow
+while doing the null byte write.
+
+Spotted by treeplus.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
