[glib/glib-2-66] 2.66.5

[Philip Withnall <pwithnall src gnome org>]

commit 79c5866d316767d06573df01bf1598a122fbecd7
Author: Philip Withnall <pwithnall endlessos org>
Date:   Wed Feb 3 15:27:28 2021 +0000

    2.66.5
    
    Signed-off-by: Philip Withnall <pwithnall endlessos org>

 NEWS        | 32 ++++++++++++++++++++++++++++++++
 meson.build |  2 +-
 2 files changed, 33 insertions(+), 1 deletion(-)
---
diff --git a/NEWS b/NEWS
index 56d27f633..a9becc926 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,35 @@
+Overview of changes in GLib 2.66.5
+==================================
+
+* Fix some issues with handling over-long (invalid) input when parsing for `GDate` (!1824)
+
+* Don’t load GIO modules or parse other GIO environment variables when `AT_SECURE`
+  is set (i.e. in a setuid/setgid/setcap process). GIO has always been
+  documented as not being safe to use in privileged processes, but people persist
+  in using it unsafely, so these changes should harden things against potential
+  attacks at least a little. Unfortunately they break a couple of projects which
+  were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read
+  that for setgid/setcap (but not setuid) processes. This loophole will be closed
+  in GLib 2.70 (see issue #2316), which should give modules 6 months to change
+  their behaviour. (Work by Simon McVittie and Philip Withnall) (#2168, #2305)
+
+* Fix `g_spawn()` searching `PATH` when it wasn’t meant to (work by
+  Simon McVittie and Thomas Haller) (!1913)
+
+* Bugs fixed:
+ - #2168 giomodule: Loads GIO modules even if setuid, etc.
+ - #2210 g_private_replace ordering issue
+ - #2305 GIO security hardening causing gnome-keyring to regress when session bus is provided by dbus-launch 
(dbus-x11)
+ - !1820 gthread: Destroy value after replacing it in g_private_replace()
+ - !1824 Backport !1821 “gdate: Limit length of dates which can be parsed as valid” to glib-2-66
+ - !1831 gdatetime.c: Fix MSVC builds for lack of NAN items
+ - !1836 Backport !1827 “Windows: fix FD_READ condition flag still set on recoverable UDP socket errors.” to 
glib-2-66
+ - !1864 Backport !1862 “gio: Ignore various environment variables when running as setuid” to glib-2-66
+ - !1872 Backport !1868 “gdesktopappinfo: Fix validation of XDG_CURRENT_DESKTOP” to glib-2-66
+ - !1913 Backport !1902 “spawn: Don't set a search path if we don't want to search PATH” to glib-2-66
+ - !1922 Backport !1920 “Resolve GDBus regressions in setcap/setgid programs” to glib-2-66
+
+
 Overview of changes in GLib 2.66.4
 ==================================
 
diff --git a/meson.build b/meson.build
index d938ddf51..f33421980 100644
--- a/meson.build
+++ b/meson.build
@@ -1,5 +1,5 @@
 project('glib', 'c', 'cpp',
-  version : '2.66.4',
+  version : '2.66.5',
   # NOTE: We keep this pinned at 0.49 because that's what Debian 10 ships
   meson_version : '>= 0.49.2',
   default_options : [