XPost: linux.debian.bugs.dist, linux.debian.devel.release 
 From: smcv@debian.org 
  
 Package: release.debian.org 
 Severity: normal 
 Tags: bookworm d-i 
 X-Debbugs-Cc: glib2.0@packages.debian.org, debian-boot@lists.debian.org 
 Control: affects -1 + src:glib2.0 
 Control: block -1 by 1111470 
 User: release.debian.org@packages.debian.org 
 Usertags: pu 
  
 [ Reason ] 
  
 Avoid triggering #1065022, #1110696 in upgrades from bookworm to trixie. 
  
 Fix no-dsa CVEs #1104930, #1110640. 
  
 [ Impact ] 
  
 #1065022, #1110696 are upgrade issues: when bookworm's libglib2.0-0 is 
 purged, its postrm deletes files that trixie's replacement 
 libglib2.0-0t64 still needs. The impact is most GLib/GTK apps crashing 
 out with a fatal error, until libglib2.0-0t64 is dpkg-reconfigure'd or 
 reinstalled. We already work around #1065022 on the trixie side, and I'm 
 proposing a similar workaround for #1110696 in trixie-pu bug #1111470, 
 but it would be better if bookworm's libglib2.0-0.postrm was safer as 
 well. 
  
 In particular, old versions of the postrm can hang around indefinitely 
 due to the existence of the removed-but-not-purged state, so it would be 
 good if we can make an attempt to fix this retroactively. 
  
 The two CVEs are unlikely to be exploitable in practice, but the 
 worst-case-scenario impact if we turn out to be wrong about that is 
 arbitrary code execution. 
  
 [ Tests ] 
  
 In general: autopkgtests are relatively extensive and all pass, except 
 for memory-monitor-dbus which does not always pass but is already 
 flagged as flaky (there are some known race conditions in that one, 
 fixed upstream in a later version but not a high priority to backport). 
 A GNOME laptop still works normally with the proposed version. 
  
 I tested #1065022, #1110696 with the manual test script 
 debian/tests/manual/1065022.sh, as included in the trixie package 
 proposed in #1111470: 
  
 - put proposed bookworm packages (only) in /path/to/proposed/debs 
   (both amd64 and i386 are required) 
 - run "dpkg-scanpackages --multiversion . > Packages" in that directory 
 - podman run --rm -it \\ 
       -v /path/to/glib:/mnt/glib:ro -w /mnt/glib \\ 
       -v /path/to/proposed/debs:/mnt/bookworm:ro \\ 
       debian:bookworm-slim debian/tests/manual/1065022.sh 
 - then repeat, adding argument "1110696" 
 - exit status should be 0 in both cases, stderr ends with "+ exit 0" 
  
 and these pass, even without updating the packages in trixie. 
  
 The new autopkgtest debian/patches/1065022-futureproofing also passes 
 (tested in autopkgtest-virt-qemu and autopkgtest-virt-lxc on amd64). 
  
 The CVEs have no specific test coverage. 
  
 [ Risks ] 
  
 It's a key package in all desktop environments. 
  
 The upstream changes are narrowly-targeted and only fix specific bugs. 
  
 The downstream changes are not strictly minimal: I structured them to be 
 as easy as possible to review, even if that means a few more lines of 
 code. The only differences between the proposed 
 debian/libglib2.0-0.postrm.in, and the debian/libglib2.0-0t64.postrm 
 in unstable (and proposed for trixie) are: 
  
 - unstable uses debhelper's #DEB_HOST_MULTIARCH# substitution, but to 
   minimize regression risk this proposed bookworm update is still doing 
   its own substitution of #MULTIARCH# using sed; 
 - some differences in comments to reflect the older package name 
  
 Unlike the trixie package, the bookworm package does not need to go 
 behind debhelper's back to fix up older packages, so the changes are 
 simpler here. 
  
 [ Checklist ] 
   [x] *all* changes are documented in the d/changelog 
   [x] I reviewed all changes and I approve them 
   [x] attach debdiff against the package in (old)stable 
   [x] the issue is verified as fixed in unstable 
  
 [ Changes ] 
  
 All changes in debian/patches/ (and glib/) are upstream commits 
 to fix the two CVEs. They cherry-picked cleanly from 2.84.x. 
  
 debian/patches/glib-gfileutils.c-use-64-bits-for-value-in-get_tmp_file.patch 
 was a past bug fix related to what was later reported as CVE-2025-7039. 
 Cherry-picking it allows the fix for the CVE, 
 debian/patches/gfileutils-fix-computation-of-temporary-file-name.patch, 
 to apply cleanly. 
  
 debian/patches/gstring-carefully-handle-gssize-parameters.patch was the 
 original attempt to fix CVE-2025-4373, but had an important omission, 
 fixed by debian/patches/gstring-Make-len_unsigned-unsigned.patch. 
  
 All other changes are for #1065022/#1110696. 
 debian/patches/1065022-futureproofing is an automated test for this, 
 backported from unstable; it's marked as flaky as a precaution because 
 it relies on implementation details and might regress in future, but in 
 practice it does pass. 
  
 [ Other info ] 
  
 This will need a d-i ack for the udeb, used in the graphical installer. 
  
 diffstat for glib2.0-2.74.6 glib2.0-2.74.6 
  
  
 debian/changelog 
 |   40 ++ 
  debian/libglib2.0-0.postrm. 
 in 
 |   89 +++++- 
  debian/patches/gfileutils-fix-computation-of-temporary-file-name. 
 patch 
 |   42 +++ 
  debian/patches/glib-gfileutils.c-use-64-bits-for-value-in-get_tmp_file. 
 patch 
 |   40 ++ 
  debian/patches/gstring-Make-len_unsigned-unsigned. 
 patch 
 |   25 + 
  debian/patches/gstring-carefully-handle-gssize-parameters. 
 patch 
 |  119 ++++++++ 
  
 debian/patches/series 
 |    4 
  debian/tests/1065022- 
 futureproofing 
 |  137 ++++++++++ 
  
 debian/tests/control 
 |    4 
  glib/gfileutils. 
 c 
 |    8 
  glib/gstring. 
 c 
 |   36 +- 
  11 files changed, 515 insertions(+), 29 deletions(-) 
  
 diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog 
  
 [continued in next message] 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)