Discussion:
Bug#944133: buster-pu: package glib2.0/2.58.3-2+deb10u2
Add Reply
Simon McVittie
2019-11-04 19:20:02 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: buster
User: ***@packages.debian.org
Usertags: pu

A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.

This has been fixed in the upstream master and 2.62.x branches and
in unstable, and I've prepared backports for buster (this bug)
and stretch (I'll open a separate bug when I have a successful
build/autopkgtest/piuparts pipeline).

This proposed patch includes a backport of the regression test that I wrote,
which has only been included in upstream git master so far. If the diffstat
patches/GDBus-prefer-getsockopt-style-credentials-passing-APIs.patch | 167 +++
patches/credentials-Invalid-Linux-struct-ucred-means-no-informati.patch | 117 ++
These are the bug fix.
control | 1
control.in | 1
patches/Add-a-test-for-GDBusServer-authentication.patch | 536 ++++++++++
patches/gdbus-server-auth-test-Create-temporary-directory-for-Uni.patch | 191 +++
patches/gdbus-server-auth-test-Include-gcredentialsprivate.h.patch | 41
These are for build-time and autopkgtest test coverage, and can be dropped
if they are too big. They give libglib2.0-tests a new dependency on
libdbus-1-3, but the shared library etc. do not gain a similar dependency.

So far I've only tested this with build/autopkgtest/piuparts, but I'll try
it on a real buster machine before upload. OK to continue?

Thanks,
smcv
Simon McVittie
2019-11-04 21:10:02 UTC
Reply
Permalink
Post by Simon McVittie
This proposed patch
Sorry, forgot to attach.

smcv
Adam D. Barratt
2019-11-06 12:20:01 UTC
Reply
Permalink
Control: tags -1 + confirmed d-i
Post by Simon McVittie
A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.
This has been fixed in the upstream master and 2.62.x branches and
in unstable, and I've prepared backports for buster (this bug)
and stretch (I'll open a separate bug when I have a successful
build/autopkgtest/piuparts pipeline).
This looks OK to me, but will need a d-i ACK due to the udeb build;
thanks.

Regards,

Adam
Simon McVittie
2019-11-06 13:00:01 UTC
Reply
Permalink
Post by Simon McVittie
A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-Bus
and the reference implementation libdbus (#941018).
This looks OK to me, but will need a d-i ACK due to the udeb build; thanks.
Here's a final debdiff. The only change outside debian/changelog was to add
the correct branch to the Vcs-Git field.

smcv
Adam D. Barratt
2019-11-08 20:00:02 UTC
Reply
Permalink
Post by Adam D. Barratt
Control: tags -1 + confirmed d-i
Post by Simon McVittie
A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-
Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.
This has been fixed in the upstream master and 2.62.x branches and
in unstable, and I've prepared backports for buster (this bug)
and stretch (I'll open a separate bug when I have a successful
build/autopkgtest/piuparts pipeline).
This looks OK to me, but will need a d-i ACK due to the udeb build;
thanks.
Given that the window for getting fixes into the 10.2 point release
closes this weekend, feel free to upload and we'll wait for the d-i ack
before deciding whether to include it in 10.2.

Regards,

Adam
Simon McVittie
2019-11-09 11:40:01 UTC
Reply
Permalink
Post by Adam D. Barratt
Post by Adam D. Barratt
Post by Simon McVittie
A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-
Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.
This looks OK to me, but will need a d-i ACK due to the udeb build;
thanks.
Given that the window for getting fixes into the 10.2 point release
closes this weekend, feel free to upload and we'll wait for the d-i ack
before deciding whether to include it in 10.2.
Uploaded. The only change outside debian/changelog was to add the correct
branch to the Vcs-Git field.

I've tested this successfully in a buster GNOME VM where I was previously
able to reproduce #941018.

Thanks,
smcv
Cyril Brulebois
2019-11-09 18:00:01 UTC
Reply
Permalink
Hi,
Post by Simon McVittie
Uploaded. The only change outside debian/changelog was to add the correct
branch to the Vcs-Git field.
I've tested this successfully in a buster GNOME VM where I was previously
able to reproduce #941018.
I have spent time trying to get d-i tested using netboot and netboot/gtk
mini.iso images built against the 3 packages available on coccia :

glib2.0_2.58.3-2+deb10u2.dsc
ncurses_6.1+20181013-2+deb10u2.dsc
systemd_241-7~deb10u2.dsc

And all use cases ran fine (4 × netboot-gtk and 1 × netboot — new).

So I'm fine with letting all three packages get accepted into pu, even
if I haven't looked in depth into the glib2.0 patches.


Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Adam D Barratt
2019-11-09 20:00:02 UTC
Reply
Permalink
package release.debian.org
tags 944133 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==============

Package: glib2.0
Version: 2.58.3-2+deb10u2

Explanation: ensure libdbus clients can authenticate with a GDBusServer like the one in ibus
Loading...