%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
glib-2.0
Version
2.78.6
Type
library
Description
A general-purpose utility library
Licenses
LGPL-2.1-or-later & BSD-3-Clause & PD
PURL
-
CPE
cpe:2.3:*:*:glib-2.0:2.78.6:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
meson: Run atomics test on clang as well
Khem Raj <raj.khem@gmail.com>
2
gdatetime: Fix integer overflow when parsing very long
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
3
gvariant-parser: Convert error handling code to use size_t
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14087
4
glib/tests/unicode: Add test debug information when parsing
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
5
Install gio-querymodules as libexec_PROGRAM
Jussi Kukkonen <jussi.kukkonen@intel.com>
6
guniprop: Use size_t for output_marks length
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
7
guniprop: Ensure we do not overflow size in
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
8
gdatetime: Fix potential integer overflow in timezone
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
9
gdatetime test: Do not assume PST8PDT was always exactly
"Rebecca N. Palmer" <rebecca_palmer@zoho.com>
10
gio/gcontenttype-fdo: Do not overflow if header is longer
Marco Trevisan <mail@3v1n0.net>
CVE-2026-1485
11
meson.build: do not enable pidfd features on native glib
Alexander Kanavin <alex@linutronix.de>
12
Fix DATADIRNAME on uclibc/Linux
Khem Raj <raj.khem@gmail.com>
13
gdatetime: Factor out an undersized variable
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
14
fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
Philip Withnall <pwithnall@gnome.org>
CVE-2025-13601
15
gio/tests/resources.c: comment out a build host-only test
Alexander Kanavin <alex.kanavin@gmail.com>
16
gstring: Fix g_string_sized_new segmentation fault
Tobias Stoeckmann <tobias@stoeckmann.org>
CVE-2025-6052
17
gvariant-parser: Use size_t to count numbers of child
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14087
18
gstring: Improve g_string_append_len_inline checks
Tobias Stoeckmann <tobias@stoeckmann.org>
CVE-2025-6052
19
gfileutils: fix computation of temporary file name
Michael Catanzaro <mcatanzaro@redhat.com>
CVE-2025-7039
20
gvariant-parser: Fix potential integer overflow parsing
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14087
21
gstring: Fix overflow check when expanding the string
Philip Withnall <pwithnall@gnome.org>
CVE-2025-6052
22
gsocks4aproxy: Fix a single byte buffer overflow in connect
Michael Catanzaro <mcatanzaro@redhat.com>
CVE-2024-52533
23
gstring: carefully handle gssize parameters
Michael Catanzaro <mcatanzaro@redhat.com>
CVE-2025-4373
24
gdatetime: Track timezone length as an unsigned size_t
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
25
Skip /timeout/rounding test
Ross Burton <ross.burton@arm.com>
26
gdatetime: Factor out some string pointer arithmetic
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
27
Remove the warning about deprecated paths in schemas
Alexander Kanavin <alex.kanavin@gmail.com>
28
tests: Add some missing GDateTime ISO8601 parsing tests
Philip Withnall <pwithnall@gnome.org>
CVE-2025-3360
29
gbase64: Use gsize to prevent potential overflow
Marco Trevisan <mail@3v1n0.net>
CVE-2026-1484
30
gdatetime test: Try to make PST8PDT test more obviously
Simon McVittie <smcv@debian.org>
31
Do not hardcode python path into various tools
Alexander Kanavin <alex.kanavin@gmail.com>
32
Set host_machine correctly when building with mingw32
Alexander Kanavin <alex.kanavin@gmail.com>
33
Do not write $bindir into pkg-config files
Alexander Kanavin <alex.kanavin@gmail.com>
34
Switch from the deprecated distutils module to the packaging
Jordan Williams <jordan@jwillikers.com>
35
guniprop: Do not convert size_t to gint
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1489
36
gdatetime test: Fall back if legacy System V PST8PDT is
Simon McVittie <smcv@debian.org>
37
glib-2.0: relocate the GIO module directory for native builds
Ross Burton <ross.burton@intel.com>
38
gbufferedinputstream: Fix a potential integer overflow in
Philip Withnall <pwithnall@gnome.org>
CVE-2026-0988
39
gstring: Make len_unsigned unsigned
Peter Bloomfield <peterbloomfield@bellsouth.net>
CVE-2025-4373
40
gfileattribute: Fix integer overflow calculating escaping for
Philip Withnall <pwithnall@gnome.org>
CVE-2025-14512
41
gconvert: Error out if g_escape_uri_string() would overflow
Philip Withnall <pwithnall@gnome.org>
CVE-2025-13601
42
gbase64: Ensure that the out value is within allocated size
=?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
CVE-2026-1484
43
Merge branch '2887-memory-monitor-tests' into 'main'
Philip Withnall <philip@tecnocode.co.uk>
Vulnerabilities#
Name
Analysis
Description
Patched
A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.
Patched
A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.
Patched
A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.
Patched
A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).
Patched
A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.
Patched
A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.
Patched
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
False Positive
A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spawn a program using long command lines.
Patched
A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.
Patched
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
Patched
A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
Patched
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
Patched
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.