GHSL-2021-045: integer overflow in g_bytes_new/g_memdup
Glib > 2.66.6 offers a new g_memdup2 function which fixes a vulnerability g_memdup has, see https://gitlab.gnome.org/GNOME/glib/-/issues/2319 for more details.
Unfortunately upstream won't backport the fix to anything other than the 2.66 branch (but applications on stable branches which use glib older than 2.66 probably couldn't be switched over to the new API anyway).
-
Update glib to >= 2.66.6 in edge 45e7a61b -
Update glib to >= 2.66.6 in 3.13 13c57372 -
Once a new Vala release is made which emits C code that uses g_memdup2 instead of g_memdup, rebuild all Vala packages
CC @Leo