Backport CVE-2021-27218 integer overflow fix to GLib 2.58 (!2001) · Merge requests · GNOME / GLib

Simon McVittie requested to merge wip/2-58-cve-2021-27218 into glib-2-58 Mar 19, 2021

Debian 10 contains GLib 2.58 and is supported for a bit more than 1 more year, so I need to backport the CVE-2021-27218 integer overflow fix to that version. Similar to !2000 (merged), I'd like to do this upstream.

I do not intend this to imply any particular upstream support for GLib 2.58, and in particular I don't plan to make any new GLib 2.58.x releases.

Commits

gstrfuncs: Add internal g_memdup2() function

From: @pwithnall

(Same as the first commit in !2000 (merged). It's a straightforward cherry-pick from 2.66.)
gbytearray: Do not accept too large byte arrays

From: @krnowak

(Straightforward cherry-pick from 2.66.)

Edited Mar 21, 2021 by Simon McVittie

Backport CVE-2021-27218 integer overflow fix to GLib 2.58

Commits

Merge request reports