From 29d6a46b1813b5f6053786dc12080223a1e803ec Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Mon, 28 Oct 2024 08:41:03 +0000
Subject: [PATCH 1/5] Import Debian changes 2.74.6-2+deb12u4
---
debian/changelog | 21 +++++++++++++++++++++
debian/control | 2 ++
debian/control.in | 4 +++-
3 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 4ae96f7..173b14c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
+
+ [ Helmut Grohne ]
+ * Provide libgio-2.0-dev from libglib2.0-dev in bookworm.
+ In unstable, libgio-2.0-dev has been split off from
+ libglib2.0-dev. Some of the build dependencies on libglib2.0-dev
+ will be switched over to libgio-2.0-dev. This causes them to
+ be unsatisfiable in bookworm-backports, unless a bookworm update
+ provides forward compatibility by providing libgio-2.0-dev (which
+ has never been mentioned in bookworm).
+
+ [ Simon McVittie ]
+ * d/control.in: libglib2.0-dev-bin Provides libgio-2.0-dev-bin.
+ Packages backported from trixie/sid might build-depend on
+ libgio-2.0-dev-bin if they participate in bootstrapping and need to
+ run utilities like glib-mkenums or gdbus-codegen during their build.
+ * d/control.in: Freeze Uploaders at the value it previously had in bookworm.
+ This allows `debian/rules clean` to be run without altering d/control.
+
+ -- Simon McVittie <smcv@debian.org> Mon, 28 Oct 2024 08:41:03 +0000
+
glib2.0 (2.74.6-2+deb12u3) bookworm; urgency=medium
* d/p/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch:
diff --git a/debian/control b/debian/control
index 863c9f8..e510bda 100644
--- a/debian/control
+++ b/debian/control
@@ -142,6 +142,7 @@ Breaks: libglib2.0-0-dbg (<< 2.51.4-1~)
Replaces: libglib2.0-0-dbg (<< 2.51.4-1~)
Suggests: libgirepository1.0-dev (>= 1.62),
libglib2.0-doc
+Provides: libgio-2.0-dev (= ${binary:Version})
Description: Development files for the GLib library
GLib is a library containing many useful C routines for things such
as trees, hashes, lists, and strings. It is a useful general-purpose
@@ -163,6 +164,7 @@ Depends: python3-distutils,
${shlibs:Depends}
Suggests: libgdk-pixbuf2.0-bin,
libxml2-utils
+Provides: libgio-2.0-dev-bin (= ${binary:Version})
Multi-Arch: foreign
Description: Development utilities for the GLib library
GLib is a library containing many useful C routines for things such
diff --git a/debian/control.in b/debian/control.in
index c6bc431..b8d1e30 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -2,7 +2,7 @@ Source: glib2.0
Section: libs
Priority: optional
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: @GNOME_TEAM@, Simon McVittie <smcv@debian.org>
+Uploaders: Iain Lane <laney@debian.org>, Jeremy Bicha <jbicha@ubuntu.com>, Simon McVittie <smcv@debian.org>
Build-Depends: dbus-daemon <!nocheck> <!noinsttest>,
debhelper-compat (= 13),
dh-sequence-python3,
@@ -138,6 +138,7 @@ Breaks: libglib2.0-0-dbg (<< 2.51.4-1~)
Replaces: libglib2.0-0-dbg (<< 2.51.4-1~)
Suggests: libgirepository1.0-dev (>= 1.62),
libglib2.0-doc
+Provides: libgio-2.0-dev (= ${binary:Version})
Description: Development files for the GLib library
GLib is a library containing many useful C routines for things such
as trees, hashes, lists, and strings. It is a useful general-purpose
@@ -159,6 +160,7 @@ Depends: python3-distutils,
${shlibs:Depends}
Suggests: libgdk-pixbuf2.0-bin,
libxml2-utils
+Provides: libgio-2.0-dev-bin (= ${binary:Version})
Multi-Arch: foreign
Description: Development utilities for the GLib library
GLib is a library containing many useful C routines for things such
--
GitLab
From adc0350a68d5aa6554ad1c2e8c52b0168a9736a7 Mon Sep 17 00:00:00 2001
From: Apertis CI robot <devel@lists.apertis.org>
Date: Mon, 25 Nov 2024 09:24:53 +0000
Subject: [PATCH 2/5] Release glib2.0 version 2.74.6-2+deb12u4+apertis1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>
---
debian/changelog | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index b6f53ff..1dc6642 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+glib2.0 (2.74.6-2+deb12u4+apertis1) apertis; urgency=medium
+
+ * Sync from debian/bookworm.
+ * Remaining Apertis specific changes:
+ - Inject -Wno-error=format-overflow -Wno-error=format-truncation in
+ debian/rules. In contrary to Debian, we use by default -Wformat-overflow=2
+ and -Wformat-truncation=2 in Apertis, but due to the use of -Werror this
+ package FTBFS with: "cc1: all warnings being treated as errors".
+ In order to avoid this error, we don't treat these warnings as errors.
+
+ -- Apertis CI <devel@lists.apertis.org> Mon, 25 Nov 2024 09:24:53 +0000
+
glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
[ Helmut Grohne ]
--
GitLab
From db8cbc89743b4c1db737d2b29672220f025ea90c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dylan=20A=C3=AFssi?= <dylan.aissi@collabora.com>
Date: Mon, 25 Nov 2024 09:28:25 +0000
Subject: [PATCH 3/5] Refresh the automatically detected licensing information
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>
---
debian/apertis/copyright | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/debian/apertis/copyright b/debian/apertis/copyright
index 027ce46..4888780 100644
--- a/debian/apertis/copyright
+++ b/debian/apertis/copyright
@@ -50,8 +50,7 @@ Copyright: See individual files
License: CC0-1.0 and/or LGPL-2.1
Files: debian/*
-Copyright:
- 2002-2022 Debian contributors as listed in debian/changelog
+Copyright: 2002-2022 Debian contributors as listed in debian/changelog
2012-2019 Canonical Ltd
2017-2019 Collabora Ltd
2016-2021 Simon McVittie
@@ -73,8 +72,7 @@ License: LGPL-2.1+ and Expat
Files: debian/tests/build-static
debian/tests/control
-Copyright:
- 2002-2022 Debian contributors as listed in debian/changelog
+Copyright: 2002-2022 Debian contributors as listed in debian/changelog
2012-2019 Canonical Ltd
2017-2019 Collabora Ltd
2016-2021 Simon McVittie
--
GitLab
From d753555b98db3f8d5af4f36df335090728ca6288 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Thu, 14 Nov 2024 09:42:34 +0000
Subject: [PATCH 4/5] Import Debian changes 2.74.6-2+deb12u5
---
debian/changelog | 8 ++++
...ingle-byte-buffer-overflow-in-connec.patch | 44 +++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 53 insertions(+)
create mode 100644 debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
diff --git a/debian/changelog b/debian/changelog
index 173b14c..ba85f9e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
+
+ * d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch:
+ Fix a buffer overflow when configured to use a SOCKS4a proxy with a
+ very long username (CVE-2024-52533, Closes: #1087419)
+
+ -- Simon McVittie <smcv@debian.org> Thu, 14 Nov 2024 09:42:34 +0000
+
glib2.0 (2.74.6-2+deb12u4) bookworm; urgency=medium
[ Helmut Grohne ]
diff --git a/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch b/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
new file mode 100644
index 0000000..5e4be5c
--- /dev/null
+++ b/debian/patches/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
@@ -0,0 +1,44 @@
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: gsocks4aproxy: Fix a single byte buffer overflow in connect messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+CVE-2024-52533
+
+Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
+Bug-Debian: https://bugs.debian.org/1087419
+Origin: upstream, 2.82.1, commit:ec0b708b981af77fef8e4bbb603cde4de4cd2e29
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118..b3146d0 100644
+--- a/gio/gsocks4aproxy.c
++++ b/gio/gsocks4aproxy.c
+@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+ * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
+ * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- * 1 1 2 4 variable 1 variable
++ * 1 1 2 4 variable 1 variable 1
+ */
+-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8 *msg,
+ const gchar *hostname,
diff --git a/debian/patches/series b/debian/patches/series
index bc34651..f903721 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -43,3 +43,4 @@ CVE-2024-34397/tests-Ensure-that-unsubscribing-with-GetNameOwner-in-flig.patch
CVE-2024-34397/gdbus-proxy-test-Wait-before-asserting-name-owner-has-gon.patch
CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch
gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
+gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch
--
GitLab
From b564859d1a649a1be4e58bd7f74fb57494d6182e Mon Sep 17 00:00:00 2001
From: Apertis CI robot <devel@lists.apertis.org>
Date: Fri, 17 Jan 2025 10:55:22 +0000
Subject: [PATCH 5/5] Release glib2.0 version 2.74.6-2+deb12u5+apertis1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>
---
debian/changelog | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d0f391d..8a91427 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+glib2.0 (2.74.6-2+deb12u5+apertis1) apertis; urgency=medium
+
+ * Sync from debian/bookworm.
+ * Remaining Apertis specific changes:
+ - Inject -Wno-error=format-overflow -Wno-error=format-truncation in
+ debian/rules. In contrary to Debian, we use by default -Wformat-overflow=2
+ and -Wformat-truncation=2 in Apertis, but due to the use of -Werror this
+ package FTBFS with: "cc1: all warnings being treated as errors".
+ In order to avoid this error, we don't treat these warnings as errors.
+
+ -- Apertis CI <devel@lists.apertis.org> Fri, 17 Jan 2025 10:55:22 +0000
+
glib2.0 (2.74.6-2+deb12u5) bookworm; urgency=medium
* d/p/gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connec.patch:
--
GitLab