dev-libs/glib-1.2.10-r5 is covered by GLSA 200904-02 (both in the xml and in the email notice). However, it is not masked and there are packages that depend on it in portage. I don't know if the vulnerability actually applies to this version - either the vulnerability needs to be resolved or the GLSA should be updated to not cover this slot. Reproducible: Always
Apparently the vulnerability does not exist in this version. Debian handled their glib2.0 package only (not glib1.2), and the gbase64.c (to which the patch applies) does not exist in the source tree, and I can't find any line from the patch in the source. Thus, we'll have to fix the GLSA.
This should help: @@ -11,13 +11,14 @@ </synopsis> <product type="ebuild">glib</product> <announced>April 03, 2009</announced> - <revised>April 03, 2009: 01</revised> + <revised>April 05, 2009: 02</revised> <bug>249214</bug> <access>remote</access> <affected> <package name="dev-libs/glib" auto="yes" arch="*"> <unaffected range="ge">2.18.4-r1</unaffected> <unaffected range="rge">2.16.6-r1</unaffected> + <unaffected range="lt">2</unaffected> <vulnerable range="lt">2.18.4-r1</vulnerable> </package> </affected>
