Accepting request 869723 from home:iznogood:branches:GNOME:Factory

- Update to version 2.66.6: + Fix various instances within GLib where `g_memdup()` was vulnerable to a silent integer truncation and heap overflow problem (glgo#GNOME/GLib#2319). - Update to version 2.66.5: + Fix some issues with handling over-long (invalid) input when parsing for `GDate`. + Don’t load GIO modules or parse other GIO environment variables when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap process). GIO has always been documented as not being safe to use in privileged processes, but people persist in using it unsafely, so these changes should harden things against potential attacks at least a little. Unfortunately they break a couple of projects which were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for setgid/setcap (but not setuid) processes. This loophole will be closed in GLib 2.70 (see issue #2316), which should give modules 6 months to change their behaviour. + Fix `g_spawn()` searching `PATH` when it wasn’t meant to. + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820, glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831, glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864, glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913, glgo#GNOME/GLib!1922. - Rebase/refresh patches: + glib2-dbus-socket-path.patch + glib2-fate300461-gettext-gkeyfile-suse.patch + glib2-gdbus-codegen-version.patch + glib2-suppress-schema-deprecated-path-warning.patch OBS-URL: https://build.opensuse.org/request/show/869723 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/glib2?expand=0&rev=444
2021-02-08 11:22:11 +00:00 · 2021-02-08 11:22:11 +00:00 · 1c0322dba0
commit 1c0322dba0
parent 8e482a5c6d
9 changed files with 83 additions and 45 deletions
--- a/glib-2.66.4.tar.xz
+++ b/glib-2.66.4.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:97df8670e32f9fd4f7392b0980e661dd625012015d58350da1e58e343f4af984
-size 4838124
--- a/glib-2.66.6.tar.xz
+++ b/glib-2.66.6.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:80fff9c63d2725834328071c42003c311f77f91caf2285195c587c62f5638329
+size 4841768
--- a/glib2-bgo569829-gettext-gkeyfile.patch
+++ b/glib2-bgo569829-gettext-gkeyfile.patch
@ -1,7 +1,7 @@
-Index: glib-2.56.2/glib/gkeyfile.c
+Index: glib-2.66.5/glib/gkeyfile.c
 ===================================================================
--- glib-2.56.2.orig/glib/gkeyfile.c	2018-03-12 17:23:37.000000000 +0100
-+++ glib-2.56.2/glib/gkeyfile.c	2018-08-17 10:53:47.314889363 +0200
+--- glib-2.66.5.orig/glib/gkeyfile.c
+++ glib-2.66.5/glib/gkeyfile.c
@@ -511,6 +511,7 @@ struct _GKeyFile
   GKeyFileFlags flags;
 
@ -10,7 +10,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
 
   volatile gint ref_count;
 };
-@@ -635,6 +636,7 @@ g_key_file_init (GKeyFile *key_file)
+@@ -636,6 +637,7 @@ g_key_file_init (GKeyFile *key_file)
   key_file->list_separator = ';';
   key_file->flags = 0;
   key_file->locales = g_strdupv ((gchar **)g_get_language_names ());
@ -18,7 +18,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
 }
 
 static void
-@@ -654,6 +656,12 @@ g_key_file_clear (GKeyFile *key_file)
+@@ -655,6 +657,12 @@ g_key_file_clear (GKeyFile *key_file)
       key_file->parse_buffer = NULL;
     }
 
@ -31,7 +31,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   tmp = key_file->groups;
   while (tmp != NULL)
     {
-@@ -873,6 +881,11 @@ g_key_file_load_from_fd (GKeyFile
+@@ -874,6 +882,11 @@ g_key_file_load_from_fd (GKeyFile
       return FALSE;
     }
 
@ -43,7 +43,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   return TRUE;
 }
 
-@@ -985,6 +998,11 @@ g_key_file_load_from_data (GKeyFile
+@@ -986,6 +999,11 @@ g_key_file_load_from_data (GKeyFile
       return FALSE;
     }
 
@ -55,7 +55,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   return TRUE;
 }
 
-@@ -2208,6 +2226,8 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2213,6 +2231,8 @@ g_key_file_get_locale_string (GKeyFile
   GError *key_file_error;
   gchar **languages;
   gboolean free_languages = FALSE;
@ -64,7 +64,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   gint i;
 
   g_return_val_if_fail (key_file != NULL, NULL);
-@@ -2229,6 +2249,23 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2234,6 +2254,23 @@ g_key_file_get_locale_string (GKeyFile
       free_languages = FALSE;
     }
   
@ -88,7 +88,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   for (i = 0; languages[i]; i++)
     {
       candidate_key = g_strdup_printf ("%s[%s]", key, languages[i]);
-@@ -2245,6 +2282,39 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2250,6 +2287,39 @@ g_key_file_get_locale_string (GKeyFile
       translated_value = NULL;
    }
 
@ -128,10 +128,10 @@ Index: glib-2.56.2/glib/gkeyfile.c
   /* Fallback to untranslated key
    */
   if (!translated_value)
-Index: glib-2.56.2/glib/gkeyfile.h
+Index: glib-2.66.5/glib/gkeyfile.h
 ===================================================================
--- glib-2.56.2.orig/glib/gkeyfile.h	2018-02-06 17:05:56.000000000 +0100
-+++ glib-2.56.2/glib/gkeyfile.h	2018-08-17 10:53:47.314889363 +0200
+--- glib-2.66.5.orig/glib/gkeyfile.h
+++ glib-2.66.5/glib/gkeyfile.h
@@ -320,6 +320,7 @@ gboolean  g_key_file_remove_group
 #define G_KEY_FILE_DESKTOP_KEY_URL              "URL"
 #define G_KEY_FILE_DESKTOP_KEY_DBUS_ACTIVATABLE "DBusActivatable"
--- a/glib2-dbus-socket-path.patch
+++ b/glib2-dbus-socket-path.patch
@ -1,9 +1,9 @@
-Index: glib-2.56.2/gio/gdbusaddress.c
+Index: glib-2.66.5/gio/gdbusaddress.c
 ===================================================================
--- glib-2.56.2.orig/gio/gdbusaddress.c	2018-08-16 22:53:19.000000000 +0200
-+++ glib-2.56.2/gio/gdbusaddress.c	2018-08-17 10:46:31.564471587 +0200
-@@ -1628,7 +1628,7 @@ g_dbus_address_get_for_bus_sync (GBusTyp
-       ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS"));
+--- glib-2.66.5.orig/gio/gdbusaddress.c
+++ glib-2.66.5/gio/gdbusaddress.c
+@@ -1331,7 +1331,7 @@ g_dbus_address_get_for_bus_sync (GBusTyp
+ 
       if (ret == NULL)
         {
 -          ret = g_strdup ("unix:path=/var/run/dbus/system_bus_socket");
--- a/glib2-fate300461-gettext-gkeyfile-suse.patch
+++ b/glib2-fate300461-gettext-gkeyfile-suse.patch
@ -1,7 +1,7 @@
-Index: glib-2.56.2/glib/gkeyfile.c
+Index: glib-2.66.5/glib/gkeyfile.c
 ===================================================================
--- glib-2.56.2.orig/glib/gkeyfile.c	2018-08-17 10:53:47.314889363 +0200
-+++ glib-2.56.2/glib/gkeyfile.c	2018-08-17 10:53:47.330889591 +0200
+--- glib-2.66.5.orig/glib/gkeyfile.c
+++ glib-2.66.5/glib/gkeyfile.c
@@ -512,6 +512,7 @@ struct _GKeyFile
 
   gchar **locales;
@ -10,7 +10,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
 
   volatile gint ref_count;
 };
-@@ -637,6 +638,7 @@ g_key_file_init (GKeyFile *key_file)
+@@ -638,6 +639,7 @@ g_key_file_init (GKeyFile *key_file)
   key_file->flags = 0;
   key_file->locales = g_strdupv ((gchar **)g_get_language_names ());
   key_file->gettext_domain = NULL;
@ -18,7 +18,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
 }
 
 static void
-@@ -662,6 +664,12 @@ g_key_file_clear (GKeyFile *key_file)
+@@ -663,6 +665,12 @@ g_key_file_clear (GKeyFile *key_file)
        key_file->gettext_domain = NULL;
     }
 
@ -31,7 +31,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   tmp = key_file->groups;
   while (tmp != NULL)
     {
-@@ -805,6 +813,39 @@ find_file_in_data_dirs (const gchar   *f
+@@ -806,6 +814,39 @@ find_file_in_data_dirs (const gchar   *f
   return fd;
 }
 
@ -71,7 +71,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
 static gboolean
 g_key_file_load_from_fd (GKeyFile       *key_file,
 			 gint            fd,
-@@ -886,6 +927,9 @@ g_key_file_load_from_fd (GKeyFile
+@@ -887,6 +928,9 @@ g_key_file_load_from_fd (GKeyFile
                                                     G_KEY_FILE_DESKTOP_KEY_GETTEXT_DOMAIN,
                                                     NULL);
 
@ -81,7 +81,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   return TRUE;
 }
 
-@@ -942,6 +986,8 @@ g_key_file_load_from_file (GKeyFile
+@@ -943,6 +987,8 @@ g_key_file_load_from_file (GKeyFile
       return FALSE;
     }
 
@ -90,7 +90,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   return TRUE;
 }
 
-@@ -1003,6 +1049,9 @@ g_key_file_load_from_data (GKeyFile
+@@ -1004,6 +1050,9 @@ g_key_file_load_from_data (GKeyFile
                                                     G_KEY_FILE_DESKTOP_KEY_GETTEXT_DOMAIN,
                                                     NULL);
 
@ -100,7 +100,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   return TRUE;
 }
 
-@@ -1107,6 +1156,9 @@ g_key_file_load_from_dirs (GKeyFile
+@@ -1108,6 +1157,9 @@ g_key_file_load_from_dirs (GKeyFile
         }
     }
 
@ -110,7 +110,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
   if (found_file && full_path)
     *full_path = output_path;
   else
-@@ -2291,14 +2343,40 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2296,14 +2348,40 @@ g_key_file_get_locale_string (GKeyFile
         {
           gboolean codeset_set;
           const gchar *translated;
@ -156,10 +156,10 @@ Index: glib-2.56.2/glib/gkeyfile.c
 
           g_free (orig_value);
 
-Index: glib-2.56.2/glib/gkeyfile.h
+Index: glib-2.66.5/glib/gkeyfile.h
 ===================================================================
--- glib-2.56.2.orig/glib/gkeyfile.h	2018-08-17 10:53:47.314889363 +0200
-+++ glib-2.56.2/glib/gkeyfile.h	2018-08-17 10:53:47.330889591 +0200
+--- glib-2.66.5.orig/glib/gkeyfile.h
+++ glib-2.66.5/glib/gkeyfile.h
@@ -320,7 +320,7 @@ gboolean  g_key_file_remove_group
 #define G_KEY_FILE_DESKTOP_KEY_URL              "URL"
 #define G_KEY_FILE_DESKTOP_KEY_DBUS_ACTIVATABLE "DBusActivatable"
--- a/glib2-gdbus-codegen-version.patch
+++ b/glib2-gdbus-codegen-version.patch
@ -1,7 +1,7 @@
-Index: glib-2.65.2/gio/gdbus-2.0/codegen/codegen.py
+Index: glib-2.66.5/gio/gdbus-2.0/codegen/codegen.py
 ===================================================================
--- glib-2.65.2.orig/gio/gdbus-2.0/codegen/codegen.py
-+++ glib-2.65.2/gio/gdbus-2.0/codegen/codegen.py
+--- glib-2.66.5.orig/gio/gdbus-2.0/codegen/codegen.py
+++ glib-2.66.5/gio/gdbus-2.0/codegen/codegen.py
@@ -79,8 +79,7 @@ class HeaderCodeGenerator:
     # ----------------------------------------------------------------------------------------------------
 
--- a/glib2-suppress-schema-deprecated-path-warning.patch
+++ b/glib2-suppress-schema-deprecated-path-warning.patch
@ -1,8 +1,8 @@
-Index: glib-2.56.2/gio/glib-compile-schemas.c
+Index: glib-2.66.5/gio/glib-compile-schemas.c
 ===================================================================
--- glib-2.56.2.orig/gio/glib-compile-schemas.c	2018-08-17 02:03:20.000000000 +0200
-+++ glib-2.56.2/gio/glib-compile-schemas.c	2018-08-17 10:53:47.342889761 +0200
-@@ -1219,6 +1219,7 @@ parse_state_start_schema (ParseState  *s
+--- glib-2.66.5.orig/gio/glib-compile-schemas.c
+++ glib-2.66.5/gio/glib-compile-schemas.c
+@@ -1232,6 +1232,7 @@ parse_state_start_schema (ParseState  *s
       return;
     }
 
@ -10,7 +10,7 @@ Index: glib-2.56.2/gio/glib-compile-schemas.c
   if (path && (g_str_has_prefix (path, "/apps/") ||
                g_str_has_prefix (path, "/desktop/") ||
                g_str_has_prefix (path, "/system/")))
-@@ -1231,6 +1232,7 @@ parse_state_start_schema (ParseState  *s
+@@ -1244,6 +1245,7 @@ parse_state_start_schema (ParseState  *s
       g_printerr ("%s\n", message);
       g_free (message);
     }
--- a/glib2.changes
+++ b/glib2.changes
@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Fri Feb  5 10:59:15 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.66.6:
+  + Fix various instances within GLib where `g_memdup()` was
+    vulnerable to a silent integer truncation and heap overflow
+    problem (glgo#GNOME/GLib#2319).
+
+-------------------------------------------------------------------
+Wed Feb  3 18:52:30 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.66.5:
+  + Fix some issues with handling over-long (invalid) input when
+    parsing for `GDate`.
+  + Don’t load GIO modules or parse other GIO environment variables
+    when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap
+    process). GIO has always been documented as not being safe to
+    use in privileged processes, but people persist in using it
+    unsafely, so these changes should harden things against
+    potential attacks at least a little. Unfortunately they break a
+    couple of projects which were relying on reading
+    `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for
+    setgid/setcap (but not setuid) processes. This loophole will be
+    closed in GLib 2.70 (see issue #2316), which should give
+    modules 6 months to change their behaviour.
+  + Fix `g_spawn()` searching `PATH` when it wasn’t meant to.
+  + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820,
+    glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831,
+    glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864,
+    glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913,
+    glgo#GNOME/GLib!1922.
+- Rebase/refresh patches:
+  + glib2-dbus-socket-path.patch
+  + glib2-fate300461-gettext-gkeyfile-suse.patch
+  + glib2-gdbus-codegen-version.patch
+  + glib2-suppress-schema-deprecated-path-warning.patch
+  + glib2-bgo569829-gettext-gkeyfile.patch
+
 -------------------------------------------------------------------
 Thu Dec 17 21:20:22 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>

--- a/glib2.spec
+++ b/glib2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package glib2
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -19,7 +19,7 @@
 %bcond_without     systemtap
 %bcond_without gtk_doc
 Name:           glib2
-Version:        2.66.4
+Version:        2.66.6
 Release:        0
 Summary:        General-Purpose Utility Library
 License:        LGPL-2.1-or-later