-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 27 Mar 2021 11:34:13 +0000 Source: glib2.0 Architecture: source Version: 2.58.3-2+deb10u3 Distribution: buster Urgency: medium Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 982778 982779 984969 Changes: glib2.0 (2.58.3-2+deb10u3) buster; urgency=medium . * d/patches: Resolve integer overflows, including CVE-2021-27219. These backported patches resolve an integer overflow that is known to be attacker-triggerable for denial of service in polkit (policykit-1), as well as replacing other simple uses of g_memdup() with g_memdup2(). Overflows in most of these places would not be attacker-triggerable, but replacing them is simpler than assessing whether they are attacker-triggerable. The more complicated changes from 2.66.7 have not been backported, to avoid regressions in Debian 10; overflows in those locations are not believed to be attacker-triggerable. (Closes: #982778) * d/patches: Fix integer overflow CVE-2021-27218. This is not known to be exploitable in any particular program, but might be. (Closes: #982779) * d/patches: Fix a symlink attack affecting file-roller, CVE-2021-28153 (Closes: #984969) Checksums-Sha1: 6834be0c8c46f125dca5305a9ad1f868de03d907 3444 glib2.0_2.58.3-2+deb10u3.dsc 9a5a3c86c56f7089e544e750c2b11eefb4ef0adc 107124 glib2.0_2.58.3-2+deb10u3.debian.tar.xz f28083b320e792a51255c20afffb81966923b559 8494 glib2.0_2.58.3-2+deb10u3_source.buildinfo Checksums-Sha256: 1e016740f39e61ef728f4e2536dc3e3645d37c6dc8369816f8507792563643d8 3444 glib2.0_2.58.3-2+deb10u3.dsc 2749397b93fca317a7f47489390393dedda6ef3c9359488bbd475a698529cf7a 107124 glib2.0_2.58.3-2+deb10u3.debian.tar.xz 792d8cd96c1878701389fd2466e03946e27ff5621d9c80a342d02928c35da55a 8494 glib2.0_2.58.3-2+deb10u3_source.buildinfo Files: 9650df0bb7ab1351af27a82442afc0f2 3444 libs optional glib2.0_2.58.3-2+deb10u3.dsc 8e295aa26e1c992594b92e900f97fb80 107124 libs optional glib2.0_2.58.3-2+deb10u3.debian.tar.xz e0595397f5412cd6d9f0086a84054826 8494 libs optional glib2.0_2.58.3-2+deb10u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmC/5K8ACgkQ4FrhR4+B TE/qGxAAmkmcxX6K6ajesEVjI9cycNoMec7djRYdbNBcftrQQx7pP9HfgGOH+1b3 mU/spz68gCfzMfj7ydSDWXZRoETn+fG/U+fqXgeRCeomi2GM+nDIFmbhutcGONcg BX0H6MrIzAXj8052aUwWdz+KK6Oye2rv0SF5r4spVLDnDdUqK2K8MqsBWgSAN+Tv fkTD8rc17f+187r2vN3ZFBz4FQS4Ph8zJ79Cc85IXxtIVQZ1b+2cHyTP7ozKgFA8 rFEkngtEMD2s8Pm62KolxfHkTc8GyDyXXm0UGD4eHMDLzUtcNapE51XBGX8iB/yq 63Zbe4SPvCJt0LqtMaLUbFAoLi8kgRMA0YSh9Ara6cjgxBoSepfah5OtO0LqemSa zG5I6QTrlbCQlpteqy/IFXjjH6aoqA3bpe8S9UZFZjHoKDb+QKjxohvlkHvoDuqi bFKjS8VlqPCczLYC5R8ytymhC9L3+qBh/seBtvlJ4dRoi2aDAadR+R2DodLidUU8 F6guLzA9Zn8qBM8ue1Ub/G4srORm0oa1vWD3XvFdPB0Bg+ktiG2A/9xVgsF+b1wg Ne9A6ADOfk8q5Tm0dHsL1+wvG5dw0LochEkZsWlnEScl6sCglrssQqj31iGqtPVr esN+AFTync1O4wjkk4ucLOmsD0EsejKd0C3DQcwADPZJ1FG5C0o= =KC15 -----END PGP SIGNATURE-----