CVE-2021-27218

NameCVE-2021-27218
DescriptionAn issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3044-1
Debian Bugs982779

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glib2.0 (PTS)buster2.58.3-2+deb10u3fixed
buster (security)2.58.3-2+deb10u5fixed
bullseye2.66.8-1+deb11u1fixed
bookworm2.74.6-2fixed
trixie2.78.4-1fixed
sid2.78.4-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glib2.0sourcestretch2.50.3-2+deb9u3DLA-3044-1
glib2.0sourcebuster2.58.3-2+deb10u3
glib2.0source(unstable)2.66.7-1982779

Notes

https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
Test case depends on CVE-2021-27219 fix
Search for package or bug name: Reporting problems