[Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7
Peter Korsgaard
peter at korsgaard.com
Sat Mar 13 14:39:36 UTC 2021
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> - Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
> 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
> with a buffer of 4GB or more on a 64-bit platform, the length would be
> truncated modulo 2**32, causing unintended length truncation.
> - Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
> 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
> integer overflow on 64-bit platforms due to an implicit cast from 64
> bits to 32 bits. The overflow could potentially lead to memory
> corruption.
For 2020.02.x / 2020.11.x I have instead backported the CVE-2021.27218
fix. The CVE-2021-27219 fix adds a g_memdup2() function and changes a
bunch of callers to use that instead of g_memdup(), which is not quite
trivial to backport, so I have left that for now.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list