GLFS Advisories
This page covers advisories, notably in relation with security and changes that may have broken earlier versions of the book.
For security, most of the packages in GLFS are in BLFS, and GLFS for the most part gets the same updates as BLFS gets. Thus, you should check the BLFS advisories linked in each section. This page covers GLFS-specific issues, or when the BLFS issues hit GLFS the hardest.
This page is ordered like the Changelog of the book, with newest items first.
12.3 to 12.4
Broken changes
glfs-brk-12.3-004: Git (Date: June 10th, 2025)
Git has been removed from GLFS. All downloading instructions now rely on the wget package when pages instruct the user to download files in bulk. No package in GLFS depends on Git otherwise, and no lib32 installation instructions have been present for it as the package does not provide libraries. Follow BLFS for updates to Git.
glfs-brk-12.3-003: libxml2 (Date: April 3rd, 2025)
libxml2-2.13 has upgraded to libxml2-2.14, which has broken ABI. While you can reinstall every package that uses libxml2, or do a complete upgrade, you can instead opt to apply patches which fix security issues without breaking ABI. The patches will be linked in the BLFS advisories.
glfs-brk-12.3-002: 32-bit CPU Support (Date: March 25th, 2025)
Support for 32-bit CPUs (ix86) has been removed from GLFS. This is because there is no testing being done for 32-bit by the GLFS development team due to lack of proper hardware. Another big reason is Steam and its CEF sandboxing is unclear on how to properly bypass and what happens beyond that point. Regardless, beyond Steam, the normal installation instructions generally work on 32-bit hardware; you just will be on your own to work around the edge cases.
glfs-brk-12.3-001: luit (Date: March 5th, 2025)
The luit package has been removed from GLFS as no packages in the book used it. It had no lib32 installation instructions, so feel free to follow BLFS for updates to the luit package.
Security Advisories
Please read BLFS 12.3 Security Advisories and BLFS Consolidated Security Advisories for more packages that aren't covered here.
glfs-sa-12.3-003: Fontconfig - Rating: Medium (Date: July 3rd, 2025)
In Fontconfig-2.17.1, a heap buffer overflow was fixed that was introduced in 2.17.0. When compiled with santized addresses, it will cause fc-cache to bail out when using the -f option when regenerating the font cache. If a font is malformed as a result of this early bail, Steam will crash, which is why it is mentioned in this advisories page. Upstream has not treated it as a security vulnerability and thus have not reserved a CVE or any security ticket with any authority. Since it can affect GLFS users directly and other issues of its ilk are considered security vulnerabilities, we consider this a vulnerability as well. This issue may not harm you, but if you are on Fontconfig-2.17.0, you should consider updating to Fontconfig-2.17.1 to avoid font recaching bailing via fc-cache which can cause Steam to crash. This is not needed for the 2.16 series.
To upgrade to Fontconfig-2.17.1, follow the GLFS Fontconfig installation page which does not differ for SysVinit/Systemd versions of the book.
glfs-sa-12.3-002: NVIDIA - Rating: High (Date: June 21st, 2025)
In NVIDIA-575.64, a security vulnerability was fixed that could allow for a use-after-free in the kernel for pre-Turing NVIDIA GPUs. NVIDIA has not reserved a CVE for the vulnerability. Furthermore, it has became clear that NVIDIA does not often document security fixes in the changelogs of the NVIDIA drivers, leading to many security fixes being unnoticed by the GLFS development team. We will now be looking at the NVIDIA Product Security resource. Consider all previous drivers to have security vulnerabilities and update to NVIDIA-575.64 or any of the latest revisions of the other 3 latest major versions (570, 565, and 560) immediately.
To do so, follow the GLFS NVIDIA installation page. Ensure you download the latest install script and manifest file if you previously downloaded them to ensure compatibility.
glfs-sa-12.3-001: libxml2 and Wine - Rating: High (Date: June 21st, 2025)
BLFS SA 12.3 060 covers a vulnerability with libxml2-2.14.4. This vulnerability is not exploitable in many packages as it is only able to be used in the xmlBuildQName() function. However, one of the packages that does make use of that function is the Wine package. If you are using Wine, you should fix the vulnerability by doing one of two things: either upgrade libxml2 to 2.14.4, or reinstall libxml2-1.13.8 with a patch.
To upgrade to libxml2-2.14.4, follow the GLFS libxml2 installation page which does not differ for SysVinit/Systemd versions of the book.
To reinstall libxml2-2.13.8 with the patch, download this patch and apply it before configuration, then reinstall the package.