Package: libglib2.0-0 Version: 2.31.8-1 Severity: important Tags: security fixed-upstream X-Debbugs-Cc: t...@security.debian.org, debian-lts@lists.debian.org Control: close -1 2.66.6-1
Kevin Backhouse of the GitHub Security Lab found an integer overflow in GLib: <https://gitlab.gnome.org/GNOME/glib/-/issues/2319>. I've requested a CVE ID. Until then, it's tracked as GHSL-2021-045, or within Debian as TEMP-0000000-300CAD. This was accidentally disclosed before a fix existed, and the fixes are not completely straightforward, leading to the initial fixes in 2.66.6 containing regressions. All of the regressions *that we know of* were fixed in 2.66.7, but there might be more. I would recommend that any backports to stable or oldstable are reviewed carefully before release, preferably by an upstream or downstream GLib maintainer (which is why I'm cc'ing the LTS team as a request to not immediately rush into backporting this). There is a separate integer overflow fixed in 2.66.7 for which I will report a separate bug. smcv
