Hello Simon, Markus (apo) claimed the package yesterday after your message.
For clarity I'm CC:ing him here, and I added a note in data/dla-needed.txt. https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt Also, thanks for the testing procedure :) Cheers! Sylvain Beucler Debian LTS Team On 10/05/2024 17:02, Simon McVittie wrote:
Please cc either me or the glib2.0 package's address on any replies that are relevant outside the LTS team: I am not subscribed to -lts. Normally I don't attempt to support any packages in the LTS distributions, but for glib2.0 I was the author of the original CVE fix and it turns out that I might need a buster-compatible version of it for my day job, so I've done a prototype backport to buster: https://salsa.debian.org/gnome-team/glib/-/merge_requests/39 (git fetch https://salsa.debian.org/gnome-team/glib wip/cve-2024-34397/buster) This incorporates: * the original CVE fixes developed under embargo and released to bookworm and bullseye as DSA 5682-1, to unstable as 2.80.0-10, and to Ubuntu (the version used here is very similar to the one in bullseye, but with even more conflict resolution) * automated test coverage for the CVE fix, released in the same versions as above (again the version used here is very similar to the one in bullseye, with minor adjustments to avoid requiring newer APIs) * a fix for a serious regression in ibus introduced by the CVE fixes, released to bookworm and bullseye as DSA 5682-2, to unstable in 2.80.1-1, and to Ubuntu * a fix for a minor/rare memory leak introduced by a prerequisite patch backported as part of the CVE fixes (see #1070851), released to unstable in 2.80.2-1 but not yet fixed in bookworm/bullseye or Ubuntu; this seems low-risk, but can be dropped/reverted if it makes the LTS team unhappy Please could whoever handles this in the LTS team take over review/testing from this point, and let me know if there are any problems? In the newer suites, this update was accompanied by a fix for gnome-shell, in which screencasting/screen-recording would have regressed after fixing the vulnerability. In buster, my understanding is that this will not be necessary, because GNOME Shell 3.30.x is too old to have had the relevant bug; but I have not tested a full buster system. I would recommend testing: * build-time tests * autopkgtest * general use of GNOME * gnome-shell: whatever screen recording or screencasting functionality was present in buster, if any (I don't remember what was offered in 3.30.x) * ibus: Compose key, dead keys, and ideally non-Latin input (e.g. Japanese with mozc) Thanks, smcv
