Accepting request 869723 from home:iznogood:branches:GNOME:Factory

- Update to version 2.66.6:
  + Fix various instances within GLib where `g_memdup()` was
    vulnerable to a silent integer truncation and heap overflow
    problem (glgo#GNOME/GLib#2319).

- Update to version 2.66.5:
  + Fix some issues with handling over-long (invalid) input when
    parsing for `GDate`.
  + Don’t load GIO modules or parse other GIO environment variables
    when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap
    process). GIO has always been documented as not being safe to
    use in privileged processes, but people persist in using it
    unsafely, so these changes should harden things against
    potential attacks at least a little. Unfortunately they break a
    couple of projects which were relying on reading
    `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for
    setgid/setcap (but not setuid) processes. This loophole will be
    closed in GLib 2.70 (see issue #2316), which should give
    modules 6 months to change their behaviour.
  + Fix `g_spawn()` searching `PATH` when it wasn’t meant to.
  + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820,
    glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831,
    glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864,
    glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913,
    glgo#GNOME/GLib!1922.
- Rebase/refresh patches:
  + glib2-dbus-socket-path.patch
  + glib2-fate300461-gettext-gkeyfile-suse.patch
  + glib2-gdbus-codegen-version.patch
  + glib2-suppress-schema-deprecated-path-warning.patch

OBS-URL: https://build.opensuse.org/request/show/869723
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/glib2?expand=0&rev=444

glib-2.66.4.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:97df8670e32f9fd4f7392b0980e661dd625012015d58350da1e58e343f4af984
-size 4838124

glib-2.66.6.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:80fff9c63d2725834328071c42003c311f77f91caf2285195c587c62f5638329
+size 4841768

glib2-bgo569829-gettext-gkeyfile.patch

@@ -1,7 +1,7 @@
-Index: glib-2.56.2/glib/gkeyfile.c
+Index: glib-2.66.5/glib/gkeyfile.c
 ===================================================================
---- glib-2.56.2.orig/glib/gkeyfile.c	2018-03-12 17:23:37.000000000 +0100
+--- glib-2.66.5.orig/glib/gkeyfile.c
-+++ glib-2.56.2/glib/gkeyfile.c	2018-08-17 10:53:47.314889363 +0200
++++ glib-2.66.5/glib/gkeyfile.c
 @@ -511,6 +511,7 @@ struct _GKeyFile
    GKeyFileFlags flags;
  
@@ -10,7 +10,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
  
    volatile gint ref_count;
  };
-@@ -635,6 +636,7 @@ g_key_file_init (GKeyFile *key_file)
+@@ -636,6 +637,7 @@ g_key_file_init (GKeyFile *key_file)
    key_file->list_separator = ';';
    key_file->flags = 0;
    key_file->locales = g_strdupv ((gchar **)g_get_language_names ());
@@ -18,7 +18,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
  }
  
  static void
-@@ -654,6 +656,12 @@ g_key_file_clear (GKeyFile *key_file)
+@@ -655,6 +657,12 @@ g_key_file_clear (GKeyFile *key_file)
        key_file->parse_buffer = NULL;
      }
  
@@ -31,7 +31,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    tmp = key_file->groups;
    while (tmp != NULL)
      {
-@@ -873,6 +881,11 @@ g_key_file_load_from_fd (GKeyFile
+@@ -874,6 +882,11 @@ g_key_file_load_from_fd (GKeyFile
        return FALSE;
      }
  
@@ -43,7 +43,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    return TRUE;
  }
  
-@@ -985,6 +998,11 @@ g_key_file_load_from_data (GKeyFile
+@@ -986,6 +999,11 @@ g_key_file_load_from_data (GKeyFile
        return FALSE;
      }
  
@@ -55,7 +55,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    return TRUE;
  }
  
-@@ -2208,6 +2226,8 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2213,6 +2231,8 @@ g_key_file_get_locale_string (GKeyFile
    GError *key_file_error;
    gchar **languages;
    gboolean free_languages = FALSE;
@@ -64,7 +64,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    gint i;
  
    g_return_val_if_fail (key_file != NULL, NULL);
-@@ -2229,6 +2249,23 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2234,6 +2254,23 @@ g_key_file_get_locale_string (GKeyFile
        free_languages = FALSE;
      }
    
@@ -88,7 +88,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    for (i = 0; languages[i]; i++)
      {
        candidate_key = g_strdup_printf ("%s[%s]", key, languages[i]);
-@@ -2245,6 +2282,39 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2250,6 +2287,39 @@ g_key_file_get_locale_string (GKeyFile
        translated_value = NULL;
     }
  
@@ -128,10 +128,10 @@ Index: glib-2.56.2/glib/gkeyfile.c
    /* Fallback to untranslated key
     */
    if (!translated_value)
-Index: glib-2.56.2/glib/gkeyfile.h
+Index: glib-2.66.5/glib/gkeyfile.h
 ===================================================================
---- glib-2.56.2.orig/glib/gkeyfile.h	2018-02-06 17:05:56.000000000 +0100
+--- glib-2.66.5.orig/glib/gkeyfile.h
-+++ glib-2.56.2/glib/gkeyfile.h	2018-08-17 10:53:47.314889363 +0200
++++ glib-2.66.5/glib/gkeyfile.h
 @@ -320,6 +320,7 @@ gboolean  g_key_file_remove_group
  #define G_KEY_FILE_DESKTOP_KEY_URL              "URL"
  #define G_KEY_FILE_DESKTOP_KEY_DBUS_ACTIVATABLE "DBusActivatable"

glib2-dbus-socket-path.patch

@@ -1,9 +1,9 @@
-Index: glib-2.56.2/gio/gdbusaddress.c
+Index: glib-2.66.5/gio/gdbusaddress.c
 ===================================================================
---- glib-2.56.2.orig/gio/gdbusaddress.c	2018-08-16 22:53:19.000000000 +0200
+--- glib-2.66.5.orig/gio/gdbusaddress.c
-+++ glib-2.56.2/gio/gdbusaddress.c	2018-08-17 10:46:31.564471587 +0200
++++ glib-2.66.5/gio/gdbusaddress.c
-@@ -1628,7 +1628,7 @@ g_dbus_address_get_for_bus_sync (GBusTyp
+@@ -1331,7 +1331,7 @@ g_dbus_address_get_for_bus_sync (GBusTyp
-       ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS"));
+ 
        if (ret == NULL)
          {
 -          ret = g_strdup ("unix:path=/var/run/dbus/system_bus_socket");

glib2-fate300461-gettext-gkeyfile-suse.patch

@@ -1,7 +1,7 @@
-Index: glib-2.56.2/glib/gkeyfile.c
+Index: glib-2.66.5/glib/gkeyfile.c
 ===================================================================
---- glib-2.56.2.orig/glib/gkeyfile.c	2018-08-17 10:53:47.314889363 +0200
+--- glib-2.66.5.orig/glib/gkeyfile.c
-+++ glib-2.56.2/glib/gkeyfile.c	2018-08-17 10:53:47.330889591 +0200
++++ glib-2.66.5/glib/gkeyfile.c
 @@ -512,6 +512,7 @@ struct _GKeyFile
  
    gchar **locales;
@@ -10,7 +10,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
  
    volatile gint ref_count;
  };
-@@ -637,6 +638,7 @@ g_key_file_init (GKeyFile *key_file)
+@@ -638,6 +639,7 @@ g_key_file_init (GKeyFile *key_file)
    key_file->flags = 0;
    key_file->locales = g_strdupv ((gchar **)g_get_language_names ());
    key_file->gettext_domain = NULL;
@@ -18,7 +18,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
  }
  
  static void
-@@ -662,6 +664,12 @@ g_key_file_clear (GKeyFile *key_file)
+@@ -663,6 +665,12 @@ g_key_file_clear (GKeyFile *key_file)
         key_file->gettext_domain = NULL;
      }
  
@@ -31,7 +31,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    tmp = key_file->groups;
    while (tmp != NULL)
      {
-@@ -805,6 +813,39 @@ find_file_in_data_dirs (const gchar   *f
+@@ -806,6 +814,39 @@ find_file_in_data_dirs (const gchar   *f
    return fd;
  }
  
@@ -71,7 +71,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
  static gboolean
  g_key_file_load_from_fd (GKeyFile       *key_file,
  			 gint            fd,
-@@ -886,6 +927,9 @@ g_key_file_load_from_fd (GKeyFile
+@@ -887,6 +928,9 @@ g_key_file_load_from_fd (GKeyFile
                                                      G_KEY_FILE_DESKTOP_KEY_GETTEXT_DOMAIN,
                                                      NULL);
  
@@ -81,7 +81,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    return TRUE;
  }
  
-@@ -942,6 +986,8 @@ g_key_file_load_from_file (GKeyFile
+@@ -943,6 +987,8 @@ g_key_file_load_from_file (GKeyFile
        return FALSE;
      }
  
@@ -90,7 +90,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    return TRUE;
  }
  
-@@ -1003,6 +1049,9 @@ g_key_file_load_from_data (GKeyFile
+@@ -1004,6 +1050,9 @@ g_key_file_load_from_data (GKeyFile
                                                      G_KEY_FILE_DESKTOP_KEY_GETTEXT_DOMAIN,
                                                      NULL);
  
@@ -100,7 +100,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    return TRUE;
  }
  
-@@ -1107,6 +1156,9 @@ g_key_file_load_from_dirs (GKeyFile
+@@ -1108,6 +1157,9 @@ g_key_file_load_from_dirs (GKeyFile
          }
      }
  
@@ -110,7 +110,7 @@ Index: glib-2.56.2/glib/gkeyfile.c
    if (found_file && full_path)
      *full_path = output_path;
    else
-@@ -2291,14 +2343,40 @@ g_key_file_get_locale_string (GKeyFile
+@@ -2296,14 +2348,40 @@ g_key_file_get_locale_string (GKeyFile
          {
            gboolean codeset_set;
            const gchar *translated;
@@ -156,10 +156,10 @@ Index: glib-2.56.2/glib/gkeyfile.c
  
            g_free (orig_value);
  
-Index: glib-2.56.2/glib/gkeyfile.h
+Index: glib-2.66.5/glib/gkeyfile.h
 ===================================================================
---- glib-2.56.2.orig/glib/gkeyfile.h	2018-08-17 10:53:47.314889363 +0200
+--- glib-2.66.5.orig/glib/gkeyfile.h
-+++ glib-2.56.2/glib/gkeyfile.h	2018-08-17 10:53:47.330889591 +0200
++++ glib-2.66.5/glib/gkeyfile.h
 @@ -320,7 +320,7 @@ gboolean  g_key_file_remove_group
  #define G_KEY_FILE_DESKTOP_KEY_URL              "URL"
  #define G_KEY_FILE_DESKTOP_KEY_DBUS_ACTIVATABLE "DBusActivatable"

glib2-gdbus-codegen-version.patch

@@ -1,7 +1,7 @@
-Index: glib-2.65.2/gio/gdbus-2.0/codegen/codegen.py
+Index: glib-2.66.5/gio/gdbus-2.0/codegen/codegen.py
 ===================================================================
---- glib-2.65.2.orig/gio/gdbus-2.0/codegen/codegen.py
+--- glib-2.66.5.orig/gio/gdbus-2.0/codegen/codegen.py
-+++ glib-2.65.2/gio/gdbus-2.0/codegen/codegen.py
++++ glib-2.66.5/gio/gdbus-2.0/codegen/codegen.py
 @@ -79,8 +79,7 @@ class HeaderCodeGenerator:
      # ----------------------------------------------------------------------------------------------------
  

glib2-suppress-schema-deprecated-path-warning.patch

@@ -1,8 +1,8 @@
-Index: glib-2.56.2/gio/glib-compile-schemas.c
+Index: glib-2.66.5/gio/glib-compile-schemas.c
 ===================================================================
---- glib-2.56.2.orig/gio/glib-compile-schemas.c	2018-08-17 02:03:20.000000000 +0200
+--- glib-2.66.5.orig/gio/glib-compile-schemas.c
-+++ glib-2.56.2/gio/glib-compile-schemas.c	2018-08-17 10:53:47.342889761 +0200
++++ glib-2.66.5/gio/glib-compile-schemas.c
-@@ -1219,6 +1219,7 @@ parse_state_start_schema (ParseState  *s
+@@ -1232,6 +1232,7 @@ parse_state_start_schema (ParseState  *s
        return;
      }
  
@@ -10,7 +10,7 @@ Index: glib-2.56.2/gio/glib-compile-schemas.c
    if (path && (g_str_has_prefix (path, "/apps/") ||
                 g_str_has_prefix (path, "/desktop/") ||
                 g_str_has_prefix (path, "/system/")))
-@@ -1231,6 +1232,7 @@ parse_state_start_schema (ParseState  *s
+@@ -1244,6 +1245,7 @@ parse_state_start_schema (ParseState  *s
        g_printerr ("%s\n", message);
        g_free (message);
      }

glib2.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Fri Feb  5 10:59:15 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.66.6:
+  + Fix various instances within GLib where `g_memdup()` was
+    vulnerable to a silent integer truncation and heap overflow
+    problem (glgo#GNOME/GLib#2319).
+
+-------------------------------------------------------------------
+Wed Feb  3 18:52:30 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.66.5:
+  + Fix some issues with handling over-long (invalid) input when
+    parsing for `GDate`.
+  + Don’t load GIO modules or parse other GIO environment variables
+    when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap
+    process). GIO has always been documented as not being safe to
+    use in privileged processes, but people persist in using it
+    unsafely, so these changes should harden things against
+    potential attacks at least a little. Unfortunately they break a
+    couple of projects which were relying on reading
+    `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for
+    setgid/setcap (but not setuid) processes. This loophole will be
+    closed in GLib 2.70 (see issue #2316), which should give
+    modules 6 months to change their behaviour.
+  + Fix `g_spawn()` searching `PATH` when it wasn’t meant to.
+  + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820,
+    glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831,
+    glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864,
+    glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913,
+    glgo#GNOME/GLib!1922.
+- Rebase/refresh patches:
+  + glib2-dbus-socket-path.patch
+  + glib2-fate300461-gettext-gkeyfile-suse.patch
+  + glib2-gdbus-codegen-version.patch
+  + glib2-suppress-schema-deprecated-path-warning.patch
+  + glib2-bgo569829-gettext-gkeyfile.patch
+
 -------------------------------------------------------------------
 Thu Dec 17 21:20:22 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
 

glib2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package glib2
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %bcond_without     systemtap
 %bcond_without gtk_doc
 Name:           glib2
-Version:        2.66.4
+Version:        2.66.6
 Release:        0
 Summary:        General-Purpose Utility Library
 License:        LGPL-2.1-or-later