diff options
| author | Philip Withnall <pwithnall@endlessos.org> | 2021-02-03 15:27:28 +0000 |
|---|---|---|
| committer | Philip Withnall <pwithnall@endlessos.org> | 2021-02-03 15:27:28 +0000 |
| commit | 79c5866d316767d06573df01bf1598a122fbecd7 (patch) | |
| tree | 99f42979d032f357dc6abdc7a125734265438b93 | |
| parent | 0051c06355b54cda2c8a753004e7887979c627c2 (diff) | |
2.66.52.66.5
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
| -rw-r--r-- | NEWS | 32 | ||||
| -rw-r--r-- | meson.build | 2 |
2 files changed, 33 insertions, 1 deletions
@@ -1,3 +1,35 @@ +Overview of changes in GLib 2.66.5 +================================== + +* Fix some issues with handling over-long (invalid) input when parsing for `GDate` (!1824) + +* Don’t load GIO modules or parse other GIO environment variables when `AT_SECURE` + is set (i.e. in a setuid/setgid/setcap process). GIO has always been + documented as not being safe to use in privileged processes, but people persist + in using it unsafely, so these changes should harden things against potential + attacks at least a little. Unfortunately they break a couple of projects which + were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read + that for setgid/setcap (but not setuid) processes. This loophole will be closed + in GLib 2.70 (see issue #2316), which should give modules 6 months to change + their behaviour. (Work by Simon McVittie and Philip Withnall) (#2168, #2305) + +* Fix `g_spawn()` searching `PATH` when it wasn’t meant to (work by + Simon McVittie and Thomas Haller) (!1913) + +* Bugs fixed: + - #2168 giomodule: Loads GIO modules even if setuid, etc. + - #2210 g_private_replace ordering issue + - #2305 GIO security hardening causing gnome-keyring to regress when session bus is provided by dbus-launch (dbus-x11) + - !1820 gthread: Destroy value after replacing it in g_private_replace() + - !1824 Backport !1821 “gdate: Limit length of dates which can be parsed as valid” to glib-2-66 + - !1831 gdatetime.c: Fix MSVC builds for lack of NAN items + - !1836 Backport !1827 “Windows: fix FD_READ condition flag still set on recoverable UDP socket errors.” to glib-2-66 + - !1864 Backport !1862 “gio: Ignore various environment variables when running as setuid” to glib-2-66 + - !1872 Backport !1868 “gdesktopappinfo: Fix validation of XDG_CURRENT_DESKTOP” to glib-2-66 + - !1913 Backport !1902 “spawn: Don't set a search path if we don't want to search PATH” to glib-2-66 + - !1922 Backport !1920 “Resolve GDBus regressions in setcap/setgid programs” to glib-2-66 + + Overview of changes in GLib 2.66.4 ================================== diff --git a/meson.build b/meson.build index d938ddf51..f33421980 100644 --- a/meson.build +++ b/meson.build @@ -1,5 +1,5 @@ project('glib', 'c', 'cpp', - version : '2.66.4', + version : '2.66.5', # NOTE: We keep this pinned at 0.49 because that's what Debian 10 ships meson_version : '>= 0.49.2', default_options : [ |