Discussion:
Bug#944233: stretch-pu: package glib2.0/2.50.3-2+deb9u1
Add Reply
Simon McVittie
2019-11-06 13:10:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: stretch
User: ***@packages.debian.org
Usertags: pu

A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.

This is the same as #944133, but for the older GLib in stretch. I've
tested both this and the buster update in corresponding GNOME virtual
machines; in both cases I can reproduce #941018 with the updated ibus,
and installing this version of GLib appears to fix it.

I haven't included the new unit test in this version. It usually passes
when run manually (confirming that the fix does work), but intermittently
hangs, and seems to hang more frequently when run in sbuild. I suspect
this is an unrelated multi-threading issue in GDBus message processing
(the GDBus tests tend to exercise this more aggressively than normal
applications). If so, it's unlikely to be a regression.

smcv
Simon McVittie
2019-12-02 15:30:01 UTC
Reply
Permalink
Post by Simon McVittie
A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.
This is the same as #944133, but for the older GLib in stretch.
I've uploaded the proposed source package for your consideration. Please
let me know if anything needs to be reverted or changed.

Thanks,
smcv
Adam D. Barratt
2019-12-07 20:40:02 UTC
Reply
Permalink
Control: tags -1 + confirmed d-i
Post by Simon McVittie
Post by Simon McVittie
A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1)
exposed an interoperability bug between GLib's implementation of D-
Bus
and the reference implementation libdbus (#941018). The practical impact
is that Qt clients cannot use the updated ibus input method until GLib
is fixed.
This is the same as #944133, but for the older GLib in stretch.
I've uploaded the proposed source package for your consideration.
Please let me know if anything needs to be reverted or changed.
Sorry for the delay. This looks OK to me, but will need a d-i ack as
ever.

Regards,

Adam

Loading...