[Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7

Peter Korsgaard peter at korsgaard.com
Sat Mar 13 14:39:36 UTC 2021

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:

 > - Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
 >   2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
 >   with a buffer of 4GB or more on a 64-bit platform, the length would be
 >   truncated modulo 2**32, causing unintended length truncation.
 > - Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
 >   2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
 >   integer overflow on 64-bit platforms due to an implicit cast from 64
 >   bits to 32 bits. The overflow could potentially lead to memory
 >   corruption.

For 2020.02.x / 2020.11.x I have instead backported the CVE-2021.27218
fix. The CVE-2021-27219 fix adds a g_memdup2() function and changes a
bunch of callers to use that instead of g_memdup(), which is not quite
trivial to backport, so I have left that for now.
Bye, Peter Korsgaard

More information about the buildroot mailing list