{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "gir1.2-glib-2.0", "libglib2.0-0t64" ] } }, "diff": { "deb": [ { "name": "gir1.2-glib-2.0", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.6", "version": "2.80.0-6ubuntu3.6" }, "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp", " - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when", " parsing very long ISO8601 inputs in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow", " in timezone offset handling in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-3.patch: track timezone length as an", " unsigned size_t in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer", " arithmetic in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-5.patch: factor out an undersized", " variable in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime", " ISO8601 parsing tests in glib/tests/gdatetime.c.", " - CVE-2025-3360", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:51:22 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.6", "version": "2.80.0-6ubuntu3.6" }, "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp", " - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when", " parsing very long ISO8601 inputs in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow", " in timezone offset handling in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-3.patch: track timezone length as an", " unsigned size_t in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer", " arithmetic in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-5.patch: factor out an undersized", " variable in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime", " ISO8601 parsing tests in glib/tests/gdatetime.c.", " - CVE-2025-3360", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:51:22 -0500" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from daily image serial 20260105 to 20260107", "from_series": "noble", "to_series": "noble", "from_serial": "20260105", "to_serial": "20260107", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }