Univention Bugzilla – Bug 57300
glib2.0: Multiple issues (5.0)
Last modified: 2024-05-22 13:00:17 CEST
New Debian glib2.0 2.58.3-2+deb10u6 fixes: This update addresses the following issue: 2.58.3-2+deb10u6 (Fri, 10 May 2024 15:33:34 +0100) * d/patches: Backport GDBus fixes from 2.80.1, 2.80.2 - If local users send signals on the D-Bus system bus that spoof a trusted sender, do not deliver them to signal subscriptions for the trusted sender's well-known bus name (CVE-2024-34397) - Fix a use-after-free when subscribing to signals with an arg0 match rule, originally from 2.79.0 and necessary to make the test for CVE-2024-34397 pass reliably - Add a local backport of g_set_str(), required by the above - Relax name owner checks to avoid a regression in ibus (avoids: #1070730, etc.) * d/p/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch: Add patch from upstream fixing a memory leak that can occur in rare situations with the above changes (avoids: #1070851)
--- mirror/ftp/pool/main/g/glib2.0/glib2.0_2.58.3-2+deb10u5.dsc +++ apt/ucs_5.0-0-errata5.0-7/source/glib2.0_2.58.3-2+deb10u6.dsc @@ -1,3 +1,19 @@ +2.58.3-2+deb10u6 [Fri, 10 May 2024 15:33:34 +0100] Simon McVittie <smcv@debian.org>: + + * d/patches: Backport GDBus fixes from 2.80.1, 2.80.2 + - If local users send signals on the D-Bus system bus that spoof a + trusted sender, do not deliver them to signal subscriptions for the + trusted sender's well-known bus name (CVE-2024-34397) + - Fix a use-after-free when subscribing to signals with an arg0 + match rule, originally from 2.79.0 and necessary to make the test + for CVE-2024-34397 pass reliably + - Add a local backport of g_set_str(), required by the above + - Relax name owner checks to avoid a regression in ibus + (avoids: #1070730, etc.) + * d/p/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch: + Add patch from upstream fixing a memory leak that can occur in + rare situations with the above changes (avoids: #1070851) + 2.58.3-2+deb10u5 [Mon, 25 Sep 2023 11:21:56 -0300] Santiago Ruano Rincón <santiago@freexian.com>: * Non-maintainer upload by the LTS Team <http://piuparts.knut.univention.de/5.0-7/#1014418110984797941>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-7] bcf9af65ce Bug #57300: glib2.0 2.58.3-2+deb10u6 doc/errata/staging/glib2.0.yaml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) [5.0-7] 770d037eb1 Bug #57300: glib2.0 2.58.3-2+deb10u6 doc/errata/staging/glib2.0.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x1053>