From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:c151::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id GKRfKtpZSWAqfgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Mar 2021 23:44:26 +0000
Received: from aspmx2.migadu.com ([2001:41d0:2:c151::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id CCcyJtpZSWBUJwAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Mar 2021 23:44:26 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx2.migadu.com (Postfix) with ESMTPS id 5F3B98557
	for <larch@yhetil.org>; Thu, 11 Mar 2021 00:44:26 +0100 (CET)
Received: from localhost ([::1]:42046 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lK8V7-0004M6-DB
	for larch@yhetil.org; Wed, 10 Mar 2021 18:44:25 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:38038)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lK8Uy-0004Lk-IA
 for guix-devel@gnu.org; Wed, 10 Mar 2021 18:44:16 -0500
Received: from mail.zaclys.net ([178.33.93.72]:54915)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lK8Uv-0007gR-5v
 for guix-devel@gnu.org; Wed, 10 Mar 2021 18:44:16 -0500
Received: from [192.168.0.27] (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12ANiAJn058806
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <guix-devel@gnu.org>; Thu, 11 Mar 2021 00:44:10 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12ANiAJn058806
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615419850;
 bh=UGSRPq3t4RrlyXFdNCse25TF5k9ortX6abkFdx25GjM=;
 h=Subject:From:To:Date:From;
 b=aqPrHwGLxz3SwlAlNKOakTWVdG6Q4HmDy812+Y4QTRXvLGTidfgkWLR6pic6k7FBi
 z3oPaOrRfyl4woQA+CMRoTGnc4qCh1plYouFBBXZqeXygGVJr27Jb6lNhhqlABIZTP
 VpiCaLQLL8H1RyuhyxzKcQgN3mAZvlqubK1nNztg=
Message-ID: <2fa8c4679e127f5e8a3e1dd4fa7d6ad73b1d83d3.camel@zaclys.net>
Subject: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Thu, 11 Mar 2021 00:44:06 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-J3KuyD0CI9i7NnWz6I4b"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615419866;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=UGSRPq3t4RrlyXFdNCse25TF5k9ortX6abkFdx25GjM=;
	b=qIPbo91VhTGP3gkLkYi9xETDgK8ONUjpy/nCGHPqDB1C9Y1NLL/g6e4Nv0Tb15yL0tdfKs
	NxxKrQDYPHhIiQ5Mr8cehtwMbFJGXo8oJkThOop3XVyWUxZMie1hCkxPG/dLqsiWTQzV+9
	dosqamUPbB/MVADfteFJ/1JYww7RRizmifSO3E5+p1Y3Ko+4qhJ8d3BsxKnxt5pafy1d3P
	CLYkR9rXJif9n1ABzaZlFE6sN+Lw/HNhiYWvyRPWuo1nJLkAam1/nQ/iX+3QQ18RdLvk0a
	6aMXw3ZvNzsyzu0++njKsMRCl58YK6g2kx/6u3HGGIWr65IhHMlTFLTY1sl1cA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615419866; a=rsa-sha256; cv=none;
	b=ouFZ/pNenY2gwJVDhjDRmkNZrCfLlQnXjie7MDleNnf5nDN/xOpALESDwrgayv4VJIz4R8
	5cfLHHZPoaEXynMIauGxtmJ7oYQ3sV2vsLVpbsz6rdcqraVeJHUOOoAs0ojnHn9XptaPsu
	2vS12h+8OHX6qCYdzcZ53wcsWaxRtCqZWGm44+w2koccYEooIfvqzu27DkVSnmI4hDnidC
	6gBNriINqq/T/STYcvlBM+1o+D+/4MYVQgoQRBWsRI65UXUziEEP8ZZAPhZ4oIDPS3151K
	x/P9Wv4nTZ838XejRNaIyf3MTh5r7fG5ngpr3a7HzK/gkPxn8JvhmSdkYqXIsw==
ARC-Authentication-Results: i=1;
	aspmx2.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=aqPrHwGL;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx2.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -5.19
Authentication-Results: aspmx2.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=aqPrHwGL;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx2.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 5F3B98557
X-Spam-Score: -5.19
X-Migadu-Scanner: scn0.migadu.com
X-TUID: WaOdGH2hI9uM


--=-J3KuyD0CI9i7NnWz6I4b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Upstream does not provide fixes for the 2.62.x series so we need to
backport ourselves.

I would rather switch to upstream-supported version (2.66.x or later)
as backporting patches does not appear sustainable for us, we already
have enough on our plate.

See:
- https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942 (CVE-2021-
27218)
- https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1944 (CVE-2021-
27218)
- https://gitlab.gnome.org/GNOME/glib/-/issues/2319 (CVE-2021-27219)

L=C3=A9o

--=-J3KuyD0CI9i7NnWz6I4b
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBJWcYACgkQRaix6GvN
EKYPARAAm1N1+NIUTiSRZR/C3OEBFRn4NchMX/ufNmcSi59Erp1G4w/69xtbLKGT
62t3w6gPwj8dPQSGeSpZYykdzNTJE0G1i8jIDsY6gm+zNhx3qXwNi8Te01FCLV53
FIxhsqv0tQCNe2CQYd5MglJpsEhmgrwvS2iKwqFEKql8eulNcxvtxDvWV3t5LVRH
VXdHbamkggBXhN9HWcbyl0cX5ov2uckZblF9VAqqKlnW2Yq9/9I9hNUowWz5cOCV
Y23iv2bKu3QsOYbDVI13BlYiidDp/6c/q3yzwsKgpMahVD8hkBuDptXKg5Q7kV1v
rsCt7LH9CkuC5UVc58UqtT++azRKDnQIsd9Lcssdn6OUdZ7kXZMnt+jyneHMa8oi
VwFgSWBxQfN5/k8ylz/WMnTWuKbeMfGOAciQAi/BiY8eU3O3AUpLb9eEqrRDQbL7
51zASwOqeWNa53Mxe5sI3YVdq15l0sop4HIDjvfjiMkllf2jB+oaE7iCOmzo9JX9
GdVelhLV7EhZnbc1BQiiuMegOF2GmRMe+T0gV1mR2iXDy5JVkDdYymoj6L/RtsTE
FaK2HVD0ZkEQwQskUNFW25i9sEH8lNTj0SfMkDCnFd9Nj1fmatTAr48zk2gwvvJL
+RTOZ8T8CgT58Azp2DEm36d+WYxlsXzobc1UaETnA24Fu1bT2M8=
=vqPM
-----END PGP SIGNATURE-----

--=-J3KuyD0CI9i7NnWz6I4b--