%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
glib-2.0
Version
2.72.3
Type
library
Description
A general-purpose utility library
Licenses
LGPL-2.1-or-later & BSD-3-Clause & PD
PURL
-
CPE
cpe:2.3:*:*:glib-2.0:2.72.3:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
meson: Run atomics test on clang as well
Khem Raj <raj.khem@gmail.com>
2
gdatetime: Fix integer overflow when parsing very long
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
3
gvariant-serialiser: Check offset table entry size is minimal
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-29499
4
gdbusconnection: Move SignalData, SignalSubscriber
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
5
gvariant-parser: Convert error handling code to use size_t
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14087
6
glib/tests/unicode: Add test debug information when parsing
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
7
Install gio-querymodules as libexec_PROGRAM
Jussi Kukkonen <jussi.kukkonen@intel.com>
8
guniprop: Use size_t for output_marks length
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
9
guniprop: Ensure we do not overflow size in
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
10
gdbus-proxy test: Wait before asserting name owner has
Simon McVittie <smcv@debian.org>
CVE-2024-34397
11
gdatetime: Fix potential integer overflow in timezone
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
12
gdatetime test: Do not assume PST8PDT was always exactly
"Rebecca N. Palmer" <rebecca_palmer@zoho.com>
13
tests: Ensure that unsubscribing with GetNameOwner
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
14
tests: Add test coverage for signals that match the
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
15
gvariant-core: Consolidate construction of
William Manley <will@stb-tester.com>
CVE-2023-32665
16
gio/gcontenttype-fdo: Do not overflow if header is longer
Marco Trevisan <mail@3v1n0.net>
CVE-2026-1485
17
gdbusconnection: Factor out add_signal_data()
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
18
gvariant: Fix g_variant_byteswap() returning non-normal data
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32611
19
Fix DATADIRNAME on uclibc/Linux
Khem Raj <raj.khem@gmail.com>
20
gdatetime: Factor out an undersized variable
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
21
fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
Philip Withnall <pwithnall@gnome.org>
CVE-2025-13601
22
gvariant: Propagate trust when getting a child of a
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32636
23
gio/tests/resources.c: comment out a build host-only test
Alexander Kanavin <alex.kanavin@gmail.com>
24
gvariant-parser: Use size_t to count numbers of child
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14087
25
Do not ignore return value of write()
Khem Raj <raj.khem@gmail.com>
26
gvariant-parser: Fix potential integer overflow parsing
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14087
27
gdbusconnection: Make a backport of g_set_str()
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
28
gvariant-serialiser: Rework child size calculation
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32665
29
gsocks4aproxy: Fix a single byte buffer overflow in connect
Michael Catanzaro <mcatanzaro@redhat.com>
CVE-2024-52533
30
Enable more tests while cross-compiling
Jussi Kukkonen <jussi.kukkonen@intel.com>
31
gstring: carefully handle gssize parameters
Michael Catanzaro <mcatanzaro@redhat.com>
CVE-2025-4373
32
gio/tests/g-file-info: don't assume million-in-one events
Ross Burton <ross.burton@arm.com>
33
gdatetime: Track timezone length as an unsigned size_t
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
34
gdatetime: Factor out some string pointer arithmetic
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
35
gdbusconnection: Stop storing sender_unique_name in
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
36
Remove the warning about deprecated paths in schemas
Alexander Kanavin <alex.kanavin@gmail.com>
37
tests: Add a test-case for what happens if a unique
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
38
gdbus: Track name owners for signal subscriptions
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
39
tests: Add some missing GDateTime ISO8601 parsing tests
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
40
gbase64: Use gsize to prevent potential overflow
Marco Trevisan <mail@3v1n0.net>
CVE-2026-1484
41
gdatetime test: Try to make PST8PDT test more obviously
Simon McVittie <smcv@debian.org>
42
Do not hardcode python path into various tools
Alexander Kanavin <alex.kanavin@gmail.com>
43
gdbusconnection: Don't deliver signals if the sender
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
44
Set host_machine correctly when building with mingw32
Alexander Kanavin <alex.kanavin@gmail.com>
45
gvariant: Don't allow child elements of a tuple to overlap
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32665
46
tests: Add support for subscribing to signals from a
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
47
tests: Add a test for matching by two well-known names
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
48
Do not write $bindir into pkg-config files
Alexander Kanavin <alex.kanavin@gmail.com>
49
gvariant-serialiser: Factor out code to get bounds of a tuple
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32665
50
gvariant-serialiser: Factor out functions for dealing with
William Manley <will@stb-tester.com>
CVE-2023-32665
51
gvariant: Port g_variant_deep_copy() to count its iterations
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32665
52
gdbusmessage: Cache the arg0 value
Philip Withnall <pwithnall@gnome.org>
CVE-2024-34397
53
gvariant: Track checked and ordered offsets independently
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32665
54
tests: Add a data-driven test for signal subscriptions
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
55
guniprop: Do not convert size_t to gint
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
56
gdatetime test: Fall back if legacy System V PST8PDT is
Simon McVittie <smcv@debian.org>
57
gvariant: Check offset table doesn't fall outside variant
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32643
58
gvariant: Allow g_variant_byteswap() to operate on tree-form
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32611
59
glib/gfileutils.c: use 64 bits for value in get_tmp_file()
Alexander Kanavin <alex@linutronix.de>
CVE-2025-7039
60
gfileutils: fix computation of temporary file name
Michael Catanzaro <mcatanzaro@redhat.com>
CVE-2025-7039
61
glib-2.0: relocate the GIO module directory for native builds
Ross Burton <ross.burton@intel.com>
62
gdbusconnection: Factor out signal_data_new_take()
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
63
gbufferedinputstream: Fix a potential integer overflow in
Philip Withnall <pwithnall@gnome.org>
CVE-2026-0988
64
gstring: Make len_unsigned unsigned
Peter Bloomfield <peterbloomfield@bellsouth.net>
CVE-2025-4373
65
gdbusconnection: Factor out
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
66
gfileattribute: Fix integer overflow calculating escaping for
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14512
67
gvariant: Don't allow child elements to overlap with each
William Manley <will@stb-tester.com>
CVE-2023-32665
68
gconvert: Error out if g_escape_uri_string() would overflow
Philip Withnall <pwithnall@gnome.org>
CVE-2025-13601
69
gvariant: Zero-initialise various GVariantSerialised objects
Philip Withnall <pwithnall@endlessos.org>
CVE-2023-32665
70
tests: Add a test for signal filtering by well-known
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
71
gbase64: Ensure that the out value is within allocated size
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1484
72
gdbusprivate: Add symbolic constants for the message
Simon McVittie <smcv@collabora.com>
CVE-2024-34397
73
gvariant-serialiser: Convert endianness of offsets
Simon McVittie <smcv@collabora.com>
Vulnerabilities#
Name
Analysis
Description
Patched
A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.
Patched
A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.
Patched
A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.
Patched
A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).
Patched
A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.
Patched
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
Patched
A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.
Patched
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
Patched
A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
Patched
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
Patched
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
Patched
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.
Patched
A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
Patched
A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.
Patched
A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
Patched
A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
Patched
A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.