Now
MAIN commitmail json YAML
pkgsrc/devel/gdbus-codegen/distinfo@1.18
/
diff
pkgsrc/devel/glib2/Makefile.common@1.87 / diff
pkgsrc/devel/glib2/PLIST@1.123 / diff
pkgsrc/devel/glib2/distinfo@1.279 / diff
pkgsrc/devel/glib2/Makefile.common@1.87 / diff
pkgsrc/devel/glib2/PLIST@1.123 / diff
pkgsrc/devel/glib2/distinfo@1.279 / diff
glib2 glib2-tools gdbus-codegen: updated to 2.66.7
Overview of changes in GLib 2.66.7
==================================
* Fix various regressions caused by rushed security fixes in 2.66.6
(work by Simon McVittie and Jan Alexander Steffens) (!1933, !1943)
* Fix a silent integer truncation when calling `g_byte_array_new_take()` for
byte arrays bigger than `G_MAXUINT` (work by Krzesimir Nowak) (!1944)
* Disallow using currently-undefined D-Bus connection or server flags to prevent
forward-compatibility problems with new security-sensitive flags likely to be
released in GLib 2.68 (work by Simon McVittie) (!1945)
* Bugs fixed:
- !1933 [2.66] Fix regressions in 2.66.6 where negative gssize indicates strlen()
- !1943 Backport !1941 窶徃keyfilesettingsbackend: Fix basename handling when group is unset窶� to glib-2-66
- !1944 Backport !1942 窶徃bytearray: Do not accept too large byte arrays窶� to glib-2-66
- !1945 Backport !1934 窶徃dbus: Reject attempts to set future connection or server flags窶� to glib-2-66
Overview of changes in GLib 2.66.6
==================================
* Fix various instances within GLib where `g_memdup()` was vulnerable to a
silent integer truncation and heap overflow problem (discovered by
Kevin Backhouse, work by Philip Withnall)
* Bugs fixed:
- !1927 Backport !1926 窶廣dd g_memdup2()窶� to glib-2-66
Overview of changes in GLib 2.66.5
==================================
* Fix some issues with handling over-long (invalid) input when parsing for `GDate` (!1824)
* Don窶冲 load GIO modules or parse other GIO environment variables when `AT_SECURE`
is set (i.e. in a setuid/setgid/setcap process). GIO has always been
documented as not being safe to use in privileged processes, but people persist
in using it unsafely, so these changes should harden things against potential
attacks at least a little. Unfortunately they break a couple of projects which
were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read
that for setgid/setcap (but not setuid) processes. This loophole will be closed
in GLib 2.70 (see issue 2316), which should give modules 6 months to change
their behaviour. (Work by Simon McVittie and Philip Withnall)
* Fix `g_spawn()` searching `PATH` when it wasn窶冲 meant to (work by
Simon McVittie and Thomas Haller) (!1913)
* Bugs fixed:
- giomodule: Loads GIO modules even if setuid, etc.
- g_private_replace ordering issue
- GIO security hardening causing gnome-keyring to regress when session bus is provided by dbus-launch (dbus-x11)
- gthread: Destroy value after replacing it in g_private_replace()
- Backport !1821 窶徃date: Limit length of dates which can be parsed as valid窶� to glib-2-66
- gdatetime.c: Fix MSVC builds for lack of NAN items
- Backport !1827 窶弩indows: fix FD_READ condition flag still set on recoverable UDP socket errors.窶� to glib-2-66
- Backport !1862 窶徃io: Ignore various environment variables when running as setuid窶� to glib-2-66
- Backport !1868 窶徃desktopappinfo: Fix validation of XDG_CURRENT_DESKTOP窶� to glib-2-66
- Backport !1902 窶徭pawn: Don't set a search path if we don't want to search PATH窶� to glib-2-66
- Backport !1920 窶彝esolve GDBus regressions in setcap/setgid programs窶� to glib-2-66
Overview of changes in GLib 2.66.7
==================================
* Fix various regressions caused by rushed security fixes in 2.66.6
(work by Simon McVittie and Jan Alexander Steffens) (!1933, !1943)
* Fix a silent integer truncation when calling `g_byte_array_new_take()` for
byte arrays bigger than `G_MAXUINT` (work by Krzesimir Nowak) (!1944)
* Disallow using currently-undefined D-Bus connection or server flags to prevent
forward-compatibility problems with new security-sensitive flags likely to be
released in GLib 2.68 (work by Simon McVittie) (!1945)
* Bugs fixed:
- !1933 [2.66] Fix regressions in 2.66.6 where negative gssize indicates strlen()
- !1943 Backport !1941 窶徃keyfilesettingsbackend: Fix basename handling when group is unset窶� to glib-2-66
- !1944 Backport !1942 窶徃bytearray: Do not accept too large byte arrays窶� to glib-2-66
- !1945 Backport !1934 窶徃dbus: Reject attempts to set future connection or server flags窶� to glib-2-66
Overview of changes in GLib 2.66.6
==================================
* Fix various instances within GLib where `g_memdup()` was vulnerable to a
silent integer truncation and heap overflow problem (discovered by
Kevin Backhouse, work by Philip Withnall)
* Bugs fixed:
- !1927 Backport !1926 窶廣dd g_memdup2()窶� to glib-2-66
Overview of changes in GLib 2.66.5
==================================
* Fix some issues with handling over-long (invalid) input when parsing for `GDate` (!1824)
* Don窶冲 load GIO modules or parse other GIO environment variables when `AT_SECURE`
is set (i.e. in a setuid/setgid/setcap process). GIO has always been
documented as not being safe to use in privileged processes, but people persist
in using it unsafely, so these changes should harden things against potential
attacks at least a little. Unfortunately they break a couple of projects which
were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read
that for setgid/setcap (but not setuid) processes. This loophole will be closed
in GLib 2.70 (see issue 2316), which should give modules 6 months to change
their behaviour. (Work by Simon McVittie and Philip Withnall)
* Fix `g_spawn()` searching `PATH` when it wasn窶冲 meant to (work by
Simon McVittie and Thomas Haller) (!1913)
* Bugs fixed:
- giomodule: Loads GIO modules even if setuid, etc.
- g_private_replace ordering issue
- GIO security hardening causing gnome-keyring to regress when session bus is provided by dbus-launch (dbus-x11)
- gthread: Destroy value after replacing it in g_private_replace()
- Backport !1821 窶徃date: Limit length of dates which can be parsed as valid窶� to glib-2-66
- gdatetime.c: Fix MSVC builds for lack of NAN items
- Backport !1827 窶弩indows: fix FD_READ condition flag still set on recoverable UDP socket errors.窶� to glib-2-66
- Backport !1862 窶徃io: Ignore various environment variables when running as setuid窶� to glib-2-66
- Backport !1868 窶徃desktopappinfo: Fix validation of XDG_CURRENT_DESKTOP窶� to glib-2-66
- Backport !1902 窶徭pawn: Don't set a search path if we don't want to search PATH窶� to glib-2-66
- Backport !1920 窶彝esolve GDBus regressions in setcap/setgid programs窶� to glib-2-66