Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted glib2.0 2.66.8-1+deb11u1 (source) into oldstable-proposed-updates
Date: Sun, 12 Nov 2023 15:02:27 +0000
Signed by: Simon McVittie <smcv@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 30 Sep 2023 14:25:23 +0100
Source: glib2.0
Architecture: source
Version: 2.66.8-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1028475
Changes:
 glib2.0 (2.66.8-1+deb11u1) bullseye; urgency=medium
 .
   * d/patches: Update to upstream commit 2.66.8-1-g284b7eb7f
     - Update Croatian translation
   * d/patches: Backport GVariant denial-of-service fixes from 2.74.x
     (Closes: #1028475)
     - d/p/gvariant-parser-Reject-deeply-nested-typedecls-in-text-fo.patch:
       Reject excessively nested type declarations to prevent a possible
       denial-of-service if applications parse an untrusted GVariant in
       its text form (glib#2782, oss-fuzz#49462)
     - d/p/gvariant-parser-Speed-up-maybe_wrapper-by-an-order-of-mag.patch:
       Speed up processing of deeply nested "maybe" types when parsing a
       GVariant in text form (glib#2782, oss-fuzz#20177, oss-fuzz#49462)
     - d/p/gvariant-core-Consolidate-construction-of-GVariantSeriali.patch,
       d/p/gvariant-serialiser-Factor-out-functions-for-dealing-with.patch,
       d/p/gvariant-Zero-initialise-various-GVariantSerialised-objec.patch,
       d/p/gvariant-Don-t-allow-child-elements-to-overlap-with-each-.patch,
       d/p/gvariant-serialiser-Factor-out-code-to-get-bounds-of-a-tu.patch,
       d/p/gvariant-serialiser-Rework-child-size-calculation.patch,
       d/p/gvariant-Don-t-allow-child-elements-of-a-tuple-to-overlap.patch,
       d/p/gvariant-Track-checked-and-ordered-offsets-independently.patch,
       d/p/tests-Add-another-test-for-overlapping-offsets-in-GVarian.patch,
       d/p/tests-Disable-some-random-instance-tests-of-GVariants.patch,
       d/p/gvariant-Clarify-the-docs-for-g_variant_get_normal_form.patch,
       d/p/gvariant-Port-g_variant_deep_copy-to-count-its-iterations.patch,
       d/p/gvariant-Add-internal-g_variant_maybe_get_child_value.patch,
       d/p/gvariant-Cut-allocs-of-default-values-for-children-of-non.patch,
       d/p/gvariant-Fix-a-leak-of-a-GVariantTypeInfo-on-an-error-han.patch,
       d/p/gvariant-serialiser-Check-offset-table-entry-size-is-mini.patch,
       d/p/gvariant-Fix-g_variant_byteswap-returning-non-normal-data.patch,
       d/p/gvariant-Allow-g_variant_byteswap-to-operate-on-tree-form.patch:
       Fix handling of GVariant normal forms, to avoid non-linear processing
       time, which can be a denial of service if parsing an untrusted
       GVariant in its binary form
       (glib#2121, glib#2540, glib#2794, glib#2797;
       CVE-2023-32665, CVE-2023-32611, CVE-2023-29499)
     - d/p/gvariant-serialiser-Convert-endianness-of-offsets.patch:
       Fix a regression causing a crash on big-endian architectures after
       the above fixes (glib#2839)
     - d/p/gvariant-Check-offset-table-doesn-t-fall-outside-variant-.patch:
       Fix a buffer overflow after the above fixes
       (glib#2840, CVE-2023-32643, oss-fuzz#54302)
     - d/p/gvariant-Propagate-trust-when-getting-a-child-of-a-serial.patch:
       Fix a non-linear processing time (denial of service) for GVariant in
       its binary form after the above fixes
       (glib#2841, CVE-2023-32636, oss-fuzz#54314)
     - d/p/gvariant-Factor-out-some-common-calls-to-g_variant_get_ty.patch,
       d/p/gvariant-Optimise-g_variant_print-for-nested-maybes.patch,
       d/p/gvariant-Remove-redundant-g_variant_serialised_n_children.patch,
       d/p/gvariant-Remove-some-unnecessary-type-assertions-on-a-hot.patch:
       Fix slow parsing of GVariant in its text form
       (glib#2862, oss-fuzz#54577)
   * Backport additional GVariant fixes from 2.74.x.
     This results in glib/gvariant* having the same code in Debian 11 and 12
     (when comments and inclusion of a private header for the internal
     backport of g_memdup2() are disregarded), which seems less likely to
     create regressions than backporting only the security fixes.
     - d/p/gvariant-Clarify-operator-precedence.patch:
       Reassure static analyzers that the precedence is as we intend it to be.
       Originally in 2.67.2.
     - d/p/Explain-magic-literals-in-G_VARIANT_-_INIT.patch:
       Add comments explaining some "magic numbers" in initializers.
       Originally in 2.67.2.
     - d/p/Fix-non-initialized-variable-in-glib-gvariant-parser.c.patch:
       Make sure an "out" parameter always gets initialized.
       Originally in 2.71.3.
     - d/p/gvariant-serialiser-Prevent-unbounded-recursion-in-is_nor.patch:
       Prevent unbounded recursion when validating variants (glib#2572).
       Originally in 2.71.1, and possibly a denial-of-service fix.
     - d/p/gvariant-Fix-memory-leak-on-a-TYPE_CHECK-failure.patch:
       Avoid a memory leak after a programming error. Originally in 2.71.0.
     - d/p/gvariant-Fix-pointers-being-dereferenced-despite-NULL-che.patch:
       Make it more obvious that NULL dereferences are avoided.
       Originally in 2.71.0.
     - d/p/Do-not-use-ensure_valid_-call-in-g_return_-macro.patch:
       Ensure function calls with side-effects always happen, even if
       checks are disabled (not relevant in Debian, we enable checks).
       Originally in 2.71.3.
     - d/p/gvariant-Factor-out-type-check.patch:
       Help static analyzers to understand a code path. Originally in 2.73.0.
     - d/p/gvariant-Zero-initialise-GVariantBuilder-children-under-s.patch:
       Avoid a static analyzer false-positive. Originally in 2.73.1.
   * d/p/Exclude-g_variant_maybe_get_child_value-from-API-document.patch:
     Add patch to fix a failing documentation check which caused FTBFS, by
     excluding an internal function from API documentation processing.
     No functional change, only comments are affected.
Checksums-Sha1:
 da9a73f985ab5d77eb50beefe5842d36815d6587 3426 glib2.0_2.66.8-1+deb11u1.dsc
 db48359114bf812f4a7ec7e8fe4b24e3515b1f2d 170400 glib2.0_2.66.8-1+deb11u1.debian.tar.xz
 f83658a8547f542db9a49ce577747df28988b9b9 8420 glib2.0_2.66.8-1+deb11u1_source.buildinfo
Checksums-Sha256:
 b678c1ca95ef44c920f9bd99ad20a4ce7591c1f3435ed34c44b28690b8531c99 3426 glib2.0_2.66.8-1+deb11u1.dsc
 fc6f47587a21f470d89ee0348dbcfcfeddffb479c5c609ca06d43116623d878b 170400 glib2.0_2.66.8-1+deb11u1.debian.tar.xz
 20563804a10a7ffc2873fbba68c363a02140f92a688da634000553dbc0b7f653 8420 glib2.0_2.66.8-1+deb11u1_source.buildinfo
Files:
 aab1c75f0239cad83620f3a5d4f90b83 3426 libs optional glib2.0_2.66.8-1+deb11u1.dsc
 af6eccc23d618efc7b46183f9cdc0333 170400 libs optional glib2.0_2.66.8-1+deb11u1.debian.tar.xz
 abbd68d55d986d627f7eeb0e1fce7fce 8420 libs optional glib2.0_2.66.8-1+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmU5LUcACgkQ4FrhR4+B
TE9WcA/+MtlgHgEufY7bROezjxc1ubWKuGkkSdjr1chfMt/1J4lBhJR14ydkHeFF
WR6XggOlyw9mfej4z9QRwjWFXnAqQeGQliUyMmez3/hIffvBvc8/msZLovkJHZSb
mDLXIbqxkk7tWpViAc73YOYqNS8cpPsUjzv68XrF0J7Qf7eLVQvnNpDBjh9WUcQn
ImJQ+rhzl0fqQBlPRFdtYh5g1lQDE4ZNlKuZnfhvqYDPar04WUQwRXaFWn2lI5JW
MgDHoLhWHbk+OUZS7Tutk8IJdteZKhPL1BV+UU3EamNCw6Bfcp4thmWXd/SuDic8
ozVyAL1NCwPW6Ts9wrWzIrHkf5ZxVZF+Uf8nt1OWHGglkXDVsrJXWjdimPVNGwzU
C2mk8zYyfilfqpj0utrO/oNs6RJePphI0i2S7w8WYVFPJnXB0mEQW1OI1bZeDrXR
41UZ06cNgOWYDVnY4Y/7Sgs5TA/ZXD0pXYL5qSszAy42fwTPdcpfGfUiWAp5e7Hy
z6hvgzm3Fd8hVrJAUNJlvuSHNUDqm4+sYegXc4wqrJrh3dMuQWpGC8en/fDrks2D
hjGfqBh0R/Xrh11wz9ecjrPT3mKKLB9wYQNBMJt+EbE6hZ9+eZy1skO3nU/m+jFm
xQ1mdErsBQZ1Uyq8FJBbAdxJmPgdmtCGJCh4a5oggPRyeevQn+0=
=FkIH
-----END PGP SIGNATURE-----
News for package glib2.0
