Regarding "CVE-2023-29499) GVariant offset table entry size is not checked in is_normal()"

Regarding the below issue discussion,

:ink - (CVE-2023-29499) GVariant offset table entry size is not checked in is_normal() (#2794) · Issues · GNOME / GLib · GitLab

Query,
What do we mean by “untrusted GVariant input”, I read on a post that dbus will not be affected since it only affects untrusted variant input.
Can anyone maybe help with an example or information to understand better ?

Is it possible to give a much more detailed explanation? As the term “untrusted input” seems
generic.

GVariant is a library API. Application developers can do anything with it. For example, you could design a client/server network API where client applications send GVariants to the server. Concrete example: eos-event-recorder-daemon sends GVariants to azafea-metrics-proxy.

As for D-Bus, I don’t myself understand the impact on D-Bus. Message brokers (dbus-daemon and dbus-broker) do not use GVariant, but GDBus certainly does. However, I do not know whether GDBus is vulnerable or not.

Lastly, reminder: there are more denial of service issues in GVariant, which have not been debugged or even reported yet. These older CVEs are not the last of them.