Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glib2.0@packages.debian.org, debian-gtk-gnome@lists.debian.org
Control: affects -1 + src:glib2.0
I would like to update glib2.0 in Debian 11.9. We're too close to the
11.8 deadline for an update with this size of diffstat, so I'd like
to upload it to bullseye-proposed-updates shortly after 11.8 is out,
to give it the maximum amount of review and testing possible.
glib2.0 has a udeb and is actively used in the graphical installer,
so this will need a d-i ack, either before upload or before acceptance.
[ Reason ]
Fix denial of service vulnerabilities when parsing untrusted
GVariant data, either in binary form (CVE-2023-32665, CVE-2023-32611,
CVE-2023-29499, which were marked as no-dsa by the security team) or
in text form (no CVEs for these, I don't think the GLib maintainers
consider parsing GVariant text notation to be a valid thing to do with
untrusted input).
The vulnerabilities with CVEs were already fixed in Debian 10 LTS. The
issues without CVEs were not fixed in Debian 10 LTS, but I think fixing
them will give us a lower regression risk as well as more bug fixes.
[ Impact ]
If not fixed, anything that parses untrusted data in GVariant format will
be subject to denial of service attacks, and the LTS team will presumably
backport the same changes into Debian 11 LTS in a less complete form with
(IMO) a higher risk of regressions.
Flatpak and ostree parse trusted or at least semi-trusted data in GVariant
format, so they will be subject to this denial of service, but it isn't
urgent to fix (the integrity of GVariant data they process is protected
by PGP signatures and/or https, and it rarely makes sense to access a
completely untrusted ostree repository). I don't currently know of any
software in Debian that parses totally untrusted GVariant data.
[ Tests ]
A test-build that differs only in its changelog and version number can be
downloaded from: https://people.debian.org/~smcv/11.9/pool/main/g/glib2.0/
GLib's automated test suite passes (dh_auto_test and autopkgtest on both
amd64 and i386), and new coverage for several of the issues fixed here
accounts for around 30% of the diff.
There were no obvious regressions in a Debian 11 GNOME VM. I'll try this
on one of my work test machines before upload, but I no longer have any
bullseye machines in production use, so I can only do this on a test
installation that is not used day-to-day.
Any further testing that bullseye users can provide would be appreciated.
[ Risks ]
The diffstat is considerable, but I have tried to minimize the risk by
backporting *all* GVariant fixes from the version we ship in Debian 12,
and verifying that the only remaining non-comment differences in
`glib/gvariant*` between Debian 12 and this version are inclusion of
some compatibility headers. This means that if there were regressions
caused by these changes, we should already have seen them in Debian 12
(we haven't). Also, if regressions are discovered in this area in future,
their fixes should backport cleanly from Debian 12.
The initial versions of the denial-of-service fixes introduced a more
serious vulnerability (a buffer overflow, CVE-2023-32643) and some bugs
(a crash on big-endian architectures, and another denial of service
detected by a fuzzer). I have made sure to backport the fixes for those too.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable (and stable)
[ Changes ]
po/hr.po is (obviously) a translation update, from upstream.
All other changes are for the denial of service vulnerabilities, or are
small bug fixes in the same module which I have backported in order to
minimize risk.
All changes are straightforward cherry-picks from upstream via
Debian 12's GLib 2.74.x, except for the translation update, which was
applied to upstream's 2.66.x branch after its final point release, and
"debian/patches/Exclude-g_variant_maybe_get_child_value-from-API-document.patch",
which adjusts the content of a doc-comment to prevent a documentation
check from causing FTFBS (no changes to the actual code).
[ Other info ]
For my reference, this proposed version is
https://salsa.debian.org/gnome-team/glib/-/merge_requests/26 v1.
Thanks,
smcv
Attachment:
glib2.0_2.66.8-1+deb11u1_f2310192.diff.gz
Description: application/gzip