Fixing glib2.0 CVE-2024-34397 in buster

To: debian-lts@lists.debian.org
Cc: glib2.0@packages.debian.org
Subject: Fixing glib2.0 CVE-2024-34397 in buster
From: Simon McVittie <smcv@debian.org>
Date: Fri, 10 May 2024 16:02:00 +0100
Message-id: <[🔎] Zj426Ku7NEa0fSg8@remnant.pseudorandom.co.uk>

Please cc either me or the glib2.0 package's address on any replies that
are relevant outside the LTS team: I am not subscribed to -lts.

Normally I don't attempt to support any packages in the LTS distributions,
but for glib2.0 I was the author of the original CVE fix and it turns
out that I might need a buster-compatible version of it for my day job,
so I've done a prototype backport to buster:
https://salsa.debian.org/gnome-team/glib/-/merge_requests/39
(git fetch https://salsa.debian.org/gnome-team/glib wip/cve-2024-34397/buster)

This incorporates:

* the original CVE fixes developed under embargo and released to bookworm
  and bullseye as DSA 5682-1, to unstable as 2.80.0-10, and to Ubuntu
  (the version used here is very similar to the one in bullseye, but with
  even more conflict resolution)

* automated test coverage for the CVE fix, released in the same versions
  as above (again the version used here is very similar to the one in
  bullseye, with minor adjustments to avoid requiring newer APIs)

* a fix for a serious regression in ibus introduced by the CVE fixes,
  released to bookworm and bullseye as DSA 5682-2, to unstable in 2.80.1-1,
  and to Ubuntu

* a fix for a minor/rare memory leak introduced by a prerequisite patch
  backported as part of the CVE fixes (see #1070851), released to unstable
  in 2.80.2-1 but not yet fixed in bookworm/bullseye or Ubuntu; this seems
  low-risk, but can be dropped/reverted if it makes the LTS team unhappy

Please could whoever handles this in the LTS team take over review/testing
from this point, and let me know if there are any problems?

In the newer suites, this update was accompanied by a fix for gnome-shell,
in which screencasting/screen-recording would have regressed after fixing
the vulnerability. In buster, my understanding is that this will not be
necessary, because GNOME Shell 3.30.x is too old to have had the relevant
bug; but I have not tested a full buster system.

I would recommend testing:

* build-time tests

* autopkgtest

* general use of GNOME

* gnome-shell: whatever screen recording or screencasting functionality was
  present in buster, if any (I don't remember what was offered in 3.30.x)

* ibus: Compose key, dead keys, and ideally non-Latin input
  (e.g. Japanese with mozc)

Thanks,
    smcv

Reply to:

Follow-Ups:
- Re: Fixing glib2.0 CVE-2024-34397 in buster
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: Fixing glib2.0 CVE-2024-34397 in buster
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Debian LTS and ELTS -- April 2024
Next by Date: (E)LTS report for April 2024
Previous by thread: Debian LTS and ELTS -- April 2024
Next by thread: Re: Fixing glib2.0 CVE-2024-34397 in buster
Index(es):
- Date
- Thread