Philip Withnall

**Name of the Vulnerable Software and Affected Versions** GLib (affected versions not specified) **Description** A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNOME GLib versions prior to 2.78.5 GNOME GLib versions 2.79.x GNOME GLib versions 2.80.x prior to 2.80.1 **Description** An issue was discovered in GNOME GLib where a GDBus-based client subscribing to signals from a trusted system service, such as NetworkManager, on a shared computer can be tricked into interpreting spoofed D-Bus signals as if they were sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an impact that depends on the application. The vulnerability is related to incorrect verification of the communication channel source. **Recommendations** For GNOME GLib versions prior to 2.78.5, update to version 2.78.5 or later. For GNOME GLib versions 2.79.x, update to version 2.80.1 or later. For GNOME GLib versions 2.80.x prior to 2.80.1, update to version 2.80.1 or later. As a temporary workaround, consider restricting access to the GDBus-based client to minimize the risk of exploitation.