-
glib2.0 (2.66.1-2ubuntu0.2) groovy-security; urgency=medium
* SECURITY UPDATE: incorrect g_file_replace() symlink handling
- debian/patches/CVE-2021-28153-1.patch: fix a typo in a comment in
gio/glocalfileoutputstream.c.
- debian/patches/CVE-2021-28153-2.patch: stop using g_test_bug_base()
in file tests in gio/tests/file.c.
- debian/patches/CVE-2021-28153-3.patch: factor out a flag check in
gio/glocalfileoutputstream.c.
- debian/patches/CVE-2021-28153-4.patch: fix CREATE_REPLACE_DESTINATION
with symlinks in gio/glocalfileoutputstream.c, gio/tests/file.c.
- debian/patches/CVE-2021-28153-5.patch: add a missing O_CLOEXEC flag
to replace() in gio/glocalfileoutputstream.c.
- CVE-2021-28153
-- Marc Deslauriers <email address hidden> Fri, 12 Mar 2021 11:19:01 -0500
-
glib2.0 (2.66.1-2ubuntu0.1) groovy-security; urgency=medium
* SECURITY UPDATE: g_byte_array_new_take length truncation
- debian/patches/CVE-2021-2721x/CVE-2021-27218.patch: do not accept too
large byte arrays in glib/garray.c, glib/gbytes.c,
glib/tests/bytes.c.
- CVE-2021-27218
* SECURITY UPDATE: integer overflow in g_bytes_new
- debian/patches/CVE-2021-2721x/CVE-2021-27219*.patch: add internal
g_memdup2() function and use it instead of g_memdup() in a bunch of
places.
- CVE-2021-27219
-- Marc Deslauriers <email address hidden> Tue, 02 Mar 2021 11:30:03 -0500
-
glib2.0 (2.66.1-2) unstable; urgency=medium
* Cherry-pick patches from the glib-2-66 branch upstream
- Fixes the regression called out in 2.66.1-1's changelog.
* Add-a-test-for-the-6-days-until-EOM-bug.patch,
Fix-the-6-days-until-the-end-of-the-month-bug.patch: Cherry-pick upstream
mr!1705 to not break on timezones built with `zic -b slim`
-- Iain Lane <email address hidden> Fri, 16 Oct 2020 17:38:50 +0100
-
glib2.0 (2.66.0-2) unstable; urgency=medium
* Team upload
* d/p/glocalfile-Never-require-G_LOCAL_FILE_STAT_FIELD_ATIME.patch:
Add proposed patch to fix file copying on ZFS and CIFS (Closes: #970228)
* d/p/gdbus-server-auth-Don-t-usually-test-non-EXTERNAL-repeate.patch:
Add proposed patch to work around DBUS_COOKIE_SHA1 test failures
* d/p/Revert-gtk-doc-dependency-to-1.32.patch: Move to debian subdirectory.
This patch is not intended to go upstream.
-- Simon McVittie <email address hidden> Tue, 15 Sep 2020 22:12:49 +0100
-
glib2.0 (2.66.0-1) unstable; urgency=medium
* Team upload
* New upstream stable release
- Fix missing tab in makefile rule
- guri: Fix user passed to g_uri_split_with_user() not being NULL'd
- Translation updates:
* d/watch: Only watch for stable releases
* d/p/gdbusauthmechanismsha1-Use-the-same-timeouts-as-libdbus.patch:
Add patch to fix intermittent test failures on slower architectures.
This narrowly missed the upstream code freeze, and should be in 2.66.1.
-- Simon McVittie <email address hidden> Fri, 11 Sep 2020 09:18:58 +0100
-
glib2.0 (2.65.3-1) experimental; urgency=medium
* New upstream release
+ Fixes to the new `statx()` calls — note that since GLib 2.65.2 uses
`statx()` (if available) instead of
`stat()`/`fstat()`/`lstat()`/`fstatat()`, syscall sandboxing for third
party applications might need to be updated
+ Also includes "Fix splice behavior on cancellation", a fix for a bug
which was affecting tracker - particularly its autopkgtests.
-- Iain Lane <email address hidden> Thu, 03 Sep 2020 18:55:20 +0100
-
glib2.0 (2.65.2-1) experimental; urgency=medium
* Team upload
* New upstream development release
* d/rules: Run gtk-doc checks, even if building indep-only.
Previously we would only run the gtk-doc checks if building
architecture-dependent and -independent packages in the same build,
which is done on Ubuntu amd64 buildds, but not on any Debian buildds.
* Reduce dependency to the version of gtk-doc-tools from unstable.
Instead of being some random snapshot from upstream git, this is the
last release plus some selected patches. In particular, it has enough
fixes to make the gtk-doc tests pass (Closes: #968975).
* d/libglib2.0-tests.lintian-overrides: Update
-- Simon McVittie <email address hidden> Tue, 25 Aug 2020 12:44:02 +0100
-
glib2.0 (2.65.1-1ubuntu1) groovy; urgency=medium
* Skip glib-doc-check now fails in experimental & groovy. See debian bug
968975.
glib2.0 (2.65.1-1) experimental; urgency=medium
[ Sebastien Bacher ]
* debian/control.in:
- let libglib2.0-tests Depends on libglib2.0-0 (= ${binary:Version}),
otherwise we can end up with failures due to out of sync versions
[ Simon McVittie ]
* d/shlibs.local: Upgrade all binary packages in lockstep.
Like many projects where one source package builds multiple binary
packages, GLib has private headers that share non-public interfaces
between its binary packages. Instead of setting this up for individual
binary packages, we can tell dpkg-shlibdeps to generate lockstep
dependencies whenever one of our binary packages depends on our shared
libraries.
* d/watch, d/control.in, d/gbp.conf: Branch for experimental
* New upstream development release
- Require the experimental version of gtk-doc-tools.
GLib 2.65.x requires a version that hasn't been released yet.
- Update symbols file
- Drop patches that were applied upstream
-- Dimitri John Ledkov <email address hidden> Mon, 24 Aug 2020 23:40:28 +0100
-
glib2.0 (2.65.1-1) experimental; urgency=medium
[ Sebastien Bacher ]
* debian/control.in:
- let libglib2.0-tests Depends on libglib2.0-0 (= ${binary:Version}),
otherwise we can end up with failures due to out of sync versions
[ Simon McVittie ]
* d/shlibs.local: Upgrade all binary packages in lockstep.
Like many projects where one source package builds multiple binary
packages, GLib has private headers that share non-public interfaces
between its binary packages. Instead of setting this up for individual
binary packages, we can tell dpkg-shlibdeps to generate lockstep
dependencies whenever one of our binary packages depends on our shared
libraries.
* d/watch, d/control.in, d/gbp.conf: Branch for experimental
* New upstream development release
- Require the experimental version of gtk-doc-tools.
GLib 2.65.x requires a version that hasn't been released yet.
- Update symbols file
- Drop patches that were applied upstream
-- Simon McVittie <email address hidden> Fri, 07 Aug 2020 15:44:34 +0100
-
glib2.0 (2.64.4-1build1) groovy; urgency=medium
* No change rebuild against new libffi ABI.
-- Dimitri John Ledkov <email address hidden> Thu, 20 Aug 2020 13:05:59 +0100
-
glib2.0 (2.64.4-1) unstable; urgency=medium
* Team upload
* New upstream release
- Improve async-signal-safety
* d/tests/build: Don't exercise static linking for GIO.
libmount will no longer support being linked statically from 2.35.2-8
onwards. For now I'm continuing to test that the other libraries can
still be statically linked, but please consider them to be "at risk".
(Closes: #963933)
* Re-enable libmount support.
libmount no longer depends on libcryptsetup, avoiding the various
crashes that we are working around. Future versions will dlopen it
on-demand, which should also avoid those crashes. Bump the
build-dependency to a suitable version.
* d/p/tests-Use-g_assert_-in-cancellable-test-rather-than-g_ass.patch,
d/p/gcancellable-Fix-minor-race-between-GCancellable-and-GCan.patch:
Split combined d/p/git_gsource_segfault.patch into its two component
upstream commits, and add metadata
* d/p/glib-compile-resources-Fix-exporting-on-Visual-Studio.patch,
d/p/gdesktopappinfo-Fix-unnecessarily-copied-and-leaked-URI-l.patch:
Add post-release bugfixes from upstream
-- Simon McVittie <email address hidden> Tue, 07 Jul 2020 13:33:01 +0100
-
glib2.0 (2.64.3-2) unstable; urgency=medium
* Team upload
* Temporarily disable libmount support.
Recent Debian revisions of libmount pull in libcryptsetup as a
dependency, for dm-verity support. libcryptsetup depends on json-c
and OpenSSL, causing crashes due to symbol conflicts with other
JSON libraries (jansson and json-glib, for example in firewalld and
virt-manager) and with statically-linked copies of OpenSSL (for
example in Steam and Minecraft). Until this is resolved in some
other way, disable libmount and parse /etc/fstab and /proc/mounts
ourselves, as we do in libglib2.0-udeb.
Mitigates: #963933, #963932, #963525, #963721
-- Simon McVittie <email address hidden> Thu, 02 Jul 2020 10:05:03 +0100
-
glib2.0 (2.64.3-1) unstable; urgency=medium
* Team upload
[ Laurent Bigonville ]
* Drop the libgio-fam package, and install the fam GIO plugin in
libglib2.0-0 on Hurd ports. See: #885011 (Closes: #875915)
* Stop building the libgio-fam package on kFreeBSD ports.
It is no longer necessary now that gkqueuefilemonitor is available.
[ Simon McVittie ]
* Clarify changelog entry regarding Hurd and kFreeBSD
* New upstream stable release
-- Simon McVittie <email address hidden> Fri, 29 May 2020 20:24:33 +0100
-
glib2.0 (2.64.2-1) unstable; urgency=medium
[ Simon McVittie ]
* Add Breaks on older versions of gimp, which used a syntactically
invalid property name in a plugin, and would crash when GObject
rejects syntactically invalid property names
[ Sebastien Bacher ]
* New upstream release
* debian/patches/git_gsource_segfault.patch:
- backport an upstream git change to fix a signal handler disconnect
segfault situation (lp: #1872153)
-- Sebastien Bacher <email address hidden> Wed, 15 Apr 2020 23:01:50 +0200
-
glib2.0 (2.64.2-1~fakesync1) focal; urgency=medium
[ Simon McVittie ]
* Add Breaks on older versions of gimp, which used a syntactically
invalid property name in a plugin, and would crash when GObject
rejects syntactically invalid property names
[ Sebastien Bacher ]
* New upstream release
* debian/patches/git_gsource_segfault.patch:
- backport an upstream git change to fix a signal handler disconnect
segfault situation (lp: #1872153)
-- Sebastien Bacher <email address hidden> Wed, 15 Apr 2020 23:01:50 +0200