rpm package

almalinux/glib2-static

pkg:rpm/almalinux/glib2-static

Vulnerabilities (20)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-14512	Med	6.5	< 2.56.4-169.el8_10	2.56.4-169.el8_10	Dec 11, 2025	A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
CVE-2025-14087	Med	5.6	< 2.56.4-169.el8_10	2.56.4-169.el8_10	Dec 10, 2025	A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
CVE-2025-13601	Hig	7.7	< 2.68.4-18.el9_7.1	2.68.4-18.el9_7.1	Nov 26, 2025	A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length
CVE-2025-4373	Med	4.8	< 2.68.4-16.el9_6.2	2.68.4-16.el9_6.2	May 6, 2025	A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
CVE-2024-52533		—	< 2.68.4-16.el9_6.2	2.68.4-16.el9_6.2	Nov 11, 2024	gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
CVE-2024-34397	Med	5.2	< 2.68.4-14.el9_4.1	2.68.4-14.el9_4.1	May 7, 2024	An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals tha
CVE-2023-32611		—	< 2.68.4-11.el9	2.68.4-11.el9	Sep 14, 2023	A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVE-2023-29499		—	< 2.68.4-11.el9	2.68.4-11.el9	Sep 14, 2023	A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
CVE-2023-32665		—	< 2.68.4-11.el9	2.68.4-11.el9	Sep 14, 2023	A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVE-2021-3800		—	< 2.56.4-156.el8	2.56.4-156.el8	Aug 23, 2022	A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
CVE-2021-28153		—	< 2.56.4-156.el8	2.56.4-156.el8	Mar 11, 2021	An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security re
CVE-2021-27219		—	< 2.56.4-10.el8_4	2.56.4-10.el8_4	Feb 15, 2021	An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
CVE-2021-27218		—	< 2.56.4-10.el8_4.1	2.56.4-10.el8_4.1	Feb 15, 2021	An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
CVE-2020-13584		—	< 2.56.4-9.el8	2.56.4-9.el8	Dec 3, 2020	An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
CVE-2020-13543		—	< 2.56.4-9.el8	2.56.4-9.el8	Dec 3, 2020	A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerab
CVE-2020-9983		—	< 2.56.4-9.el8	2.56.4-9.el8	Oct 16, 2020	An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to code execution.
CVE-2020-9951		—	< 2.56.4-9.el8	2.56.4-9.el8	Oct 16, 2020	A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2020-9948		—	< 2.56.4-9.el8	2.56.4-9.el8	Oct 16, 2020	A type confusion issue was addressed with improved memory handling. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2019-14822		—	< 2.56.4-8.el8	2.56.4-8.el8	Nov 25, 2019	A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victi
CVE-2019-13012		—	< 2.56.4-9.el8	2.56.4-9.el8	Jun 28, 2019	The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL,

CVE-2025-14512MedDec 11, 2025
affected < 2.56.4-169.el8_10fixed 2.56.4-169.el8_10
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
CVE-2025-14087MedDec 10, 2025
affected < 2.56.4-169.el8_10fixed 2.56.4-169.el8_10
A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
CVE-2025-13601HigNov 26, 2025
affected < 2.68.4-18.el9_7.1fixed 2.68.4-18.el9_7.1
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length
CVE-2025-4373MedMay 6, 2025
affected < 2.68.4-16.el9_6.2fixed 2.68.4-16.el9_6.2
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
CVE-2024-52533Nov 11, 2024
affected < 2.68.4-16.el9_6.2fixed 2.68.4-16.el9_6.2
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
CVE-2024-34397MedMay 7, 2024
affected < 2.68.4-14.el9_4.1fixed 2.68.4-14.el9_4.1
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals tha
CVE-2023-32611Sep 14, 2023
affected < 2.68.4-11.el9fixed 2.68.4-11.el9
A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVE-2023-29499Sep 14, 2023
affected < 2.68.4-11.el9fixed 2.68.4-11.el9
A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
CVE-2023-32665Sep 14, 2023
affected < 2.68.4-11.el9fixed 2.68.4-11.el9
A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVE-2021-3800Aug 23, 2022
affected < 2.56.4-156.el8fixed 2.56.4-156.el8
A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
CVE-2021-28153Mar 11, 2021
affected < 2.56.4-156.el8fixed 2.56.4-156.el8
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security re
CVE-2021-27219Feb 15, 2021
affected < 2.56.4-10.el8_4fixed 2.56.4-10.el8_4
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
CVE-2021-27218Feb 15, 2021
affected < 2.56.4-10.el8_4.1fixed 2.56.4-10.el8_4.1
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
CVE-2020-13584Dec 3, 2020
affected < 2.56.4-9.el8fixed 2.56.4-9.el8
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
CVE-2020-13543Dec 3, 2020
affected < 2.56.4-9.el8fixed 2.56.4-9.el8
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerab
CVE-2020-9983Oct 16, 2020
affected < 2.56.4-9.el8fixed 2.56.4-9.el8
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to code execution.
CVE-2020-9951Oct 16, 2020
affected < 2.56.4-9.el8fixed 2.56.4-9.el8
A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2020-9948Oct 16, 2020
affected < 2.56.4-9.el8fixed 2.56.4-9.el8
A type confusion issue was addressed with improved memory handling. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2019-14822Nov 25, 2019
affected < 2.56.4-8.el8fixed 2.56.4-8.el8
A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victi
CVE-2019-13012Jun 28, 2019
affected < 2.56.4-9.el8fixed 2.56.4-9.el8
The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL,