35052 – glib2.0 new security issues CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE-2025-14087, CVE-2025-14512 and CVE-2026-0988

Bug 35052 - glib2.0 new security issues CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE-2025-14087, CVE-2025-14512 and CVE-2026-0988

Summary: glib2.0 new security issues CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-01-22 15:41 CET by Nicolas Salguero
Modified:	2026-01-28 23:43 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	glib2.0-2.76.3-1.5.mga9.src.rpm
CVE:	CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE-2025-14087, CVE-2025-14512, CVE-2026-0988
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+ andrewsfarm: test_passed_mga9_32+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-22 15:41:41 CET

Ubuntu has issued an advisory on January 21:
https://ubuntu.com/security/notices/USN-7971-1

Nicolas Salguero 2026-01-22 15:42:24 CET

Source RPM: (none) => glib2.0-2.86.3-1.mga10.src.rpm, glib2.0-2.76.3-1.5.mga9.src.rpm
CVE: (none) => CVE-2026-0988
Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
Status comment: (none) => Patch available from Ubuntu

Comment 1 Nicolas Salguero 2026-01-22 16:21:20 CET

When looking at the patches from Ubuntu, I found I missed CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE-2025-14087 and CVE-2025-14512.

Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Summary: glib2.0 new security issue CVE-2026-0988 => glib2.0 new security issues CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE-2025-14087, CVE-2025-14512 and CVE-2026-0988
CVE: CVE-2026-0988 => CVE-2025-3360, CVE-2025-7039, CVE-2025-13601, CVE-2025-14087, CVE-2025-14512, CVE-2026-0988
Status comment: Patch available from Ubuntu => (none)

Nicolas Salguero 2026-01-22 16:21:26 CET

Source RPM: glib2.0-2.86.3-1.mga10.src.rpm, glib2.0-2.76.3-1.5.mga9.src.rpm => glib2.0-2.76.3-1.5.mga9.src.rpm

Comment 2 Nicolas Salguero 2026-01-22 16:38:15 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Glib prior to 2.82.5 is vulnerable to integer overflow and buffer under-read when parsing a very long invalid iso 8601 timestamp with g_date_time_new_from_iso8601(). (CVE-2025-3360)

Buffer under-read on glib through glib/gfileutils.c via get_tmp_file(). (CVE-2025-7039)

Integer overflow in in g_escape_uri_string(). (CVE-2025-13601)

Buffer underflow in gvariant parser leads to heap corruption. (CVE-2025-14087)

Integer overflow in glib gio attribute escaping causes heap buffer overflow. (CVE-2025-14512)

Denial of service via integer overflow in g_buffered_input_stream_peek(). (CVE-2026-0988)

References:
https://ubuntu.com/security/notices/USN-7971-1
========================

Updated packages in core/updates_testing:
========================
glib-gettextize-2.76.3-1.6.mga9
glib2.0-common-2.76.3-1.6.mga9
glib2.0-tests-2.76.3-1.6.mga9
lib(64)gio2.0_0-2.76.3-1.6.mga9
lib(64)glib2.0-devel-2.76.3-1.6.mga9
lib(64)glib2.0-static-devel-2.76.3-1.6.mga9
lib(64)glib2.0_0-2.76.3-1.6.mga9

from SRPM:
glib2.0-2.76.3-1.6.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2026-01-23 16:09:49 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues
Ref bug 34310
Played around in audacity, changing tempo and pitch, echo and reverb, tremolo, all works OK.
Of course still same issue with the playback pointer, but that is nota regression, so let go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 4 Brian Rockwell 2026-01-24 17:33:07 CET

MGA9-64, GNOME, AMD Ryzen 5600, Nvidia 1050

The following 2 packages are going to be installed:

- glib2.0-common-2.76.3-1.6.mga9.x86_64
- lib64glib2.0_0-2.76.3-1.6.mga9.x86_64

16B of additional disk space will be used.

--- rebooted

GNOME is behaving 
audio is working

CC: (none) => brtians1

katnatek 2026-01-24 23:05:01 CET

Keywords: (none) => advisory

Comment 5 Thomas Andrews 2026-01-27 14:01:21 CET

We probably should have an i586 test for this one.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2026-01-28 17:25:11 CET

MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics.

No installation issues. Did a reboot, even though it wasn't supposed to be necessary. Worked with it for a while, no issues noted. Looks OK on i586.

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

Thomas Andrews 2026-01-28 17:25:41 CET

Flags: (none) => test_passed_mga9_32+

Comment 7 Thomas Andrews 2026-01-28 17:26:17 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2026-01-28 23:43:02 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0023.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.