pool/glib2
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

2 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Mike Gorse
40a9b4402e CVE-2025-13601, CVE-2025-14087, CVE-2025-14512 2025-12-11 19:57:10 -06:00
Mike Gorse
9116a75155 Update to 2.84.4 2025-11-17 16:28:06 -06:00
13 changed files with 818 additions and 206 deletions
Expand all files Collapse all files

2
_service
View File

@@ -3,7 +3,7 @@
<service name="obs_scm" mode="manual">
<param name="scm">git</param>
<param name="url">https://gitlab.gnome.org/GNOME/glib.git</param>
<param name="revision">2.86.3</param>
<param name="revision">2.84.3</param>
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="versionrewrite-pattern">(.*)\+0</param>
<param name="versionrewrite-replacement">\1</param>

BIN
glib-2.84.4.obscpio LFS Normal file
View File

Binary file not shown.

3
glib-2.86.3.obscpio
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b124dd8bce608149d16f5276a2e5ef9464d9ae72bd219312775003fa3a0aab30
size 52911118

6
glib.obsinfo
View File

@@ -1,4 +1,4 @@
name: glib
version: 2.86.3
mtime: 1765208766
commit: 7a54787e16ceb20cecda8ad6caab05b24a61e414
version: 2.84.4
mtime: 1754671402
commit: 41eca60845d3fc309af361f5e7f801ba339099aa

132
glib2-CVE-2025-13601-1.patch Normal file
View File

@@ -0,0 +1,132 @@
From 9bcd65ba5fa1b92ff0fb8380faea335ccef56253 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 13 Nov 2025 18:27:22 +0000
Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the string to escape contains a very large number of unacceptable
characters (which would need escaping), the calculation of the length of
the escaped string could overflow, leading to a potential write off the
end of the newly allocated string.
In addition to that, the number of unacceptable characters was counted
in a signed integer, which would overflow to become negative, making it
easier for an attacker to craft an input string which would cause an
out-of-bounds write.
Fix that by validating the allocation length, and using an unsigned
integer to count the number of unacceptable characters.
Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3827
Backport 2.86: Changed the translatable error message to re-use an
existing translatable string, to avoid adding new translatable strings
to a stable branch. The re-used string doesnt perfectly match the
error, but its good enough given that no users will ever see it.
---
glib/gconvert.c | 36 +++++++++++++++++++++++++-----------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/glib/gconvert.c b/glib/gconvert.c
index 7ad8ca018..367e9b466 100644
--- a/glib/gconvert.c
+++ b/glib/gconvert.c
@@ -1336,8 +1336,9 @@ static const gchar hex[] = "0123456789ABCDEF";
/* Note: This escape function works on file: URIs, but if you want to
* escape something else, please read RFC-2396 */
static gchar *
-g_escape_uri_string (const gchar *string,
- UnsafeCharacterSet mask)
+g_escape_uri_string (const gchar *string,
+ UnsafeCharacterSet mask,
+ GError **error)
{
#define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
@@ -1345,7 +1346,7 @@ g_escape_uri_string (const gchar *string,
gchar *q;
gchar *result;
int c;
- gint unacceptable;
+ size_t unacceptable;
UnsafeCharacterSet use_mask;
g_return_val_if_fail (mask == UNSAFE_ALL
@@ -1362,7 +1363,14 @@ g_escape_uri_string (const gchar *string,
if (!ACCEPTABLE (c))
unacceptable++;
}
-
+
+ if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
+ {
+ g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
+ _("Invalid hostname"));
+ return NULL;
+ }
+
result = g_malloc (p - string + unacceptable * 2 + 1);
use_mask = mask;
@@ -1387,12 +1395,13 @@ g_escape_uri_string (const gchar *string,
static gchar *
-g_escape_file_uri (const gchar *hostname,
- const gchar *pathname)
+g_escape_file_uri (const gchar *hostname,
+ const gchar *pathname,
+ GError **error)
{
char *escaped_hostname = NULL;
- char *escaped_path;
- char *res;
+ char *escaped_path = NULL;
+ char *res = NULL;
#ifdef G_OS_WIN32
char *p, *backslash;
@@ -1413,10 +1422,14 @@ g_escape_file_uri (const gchar *hostname,
if (hostname && *hostname != '\0')
{
- escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
+ escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
+ if (escaped_hostname == NULL)
+ goto out;
}
- escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
+ escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
+ if (escaped_path == NULL)
+ goto out;
res = g_strconcat ("file://",
(escaped_hostname) ? escaped_hostname : "",
@@ -1424,6 +1437,7 @@ g_escape_file_uri (const gchar *hostname,
escaped_path,
NULL);
+out:
#ifdef G_OS_WIN32
g_free ((char *) pathname);
#endif
@@ -1757,7 +1771,7 @@ g_filename_to_uri (const gchar *filename,
hostname = NULL;
#endif
- escaped_uri = g_escape_file_uri (hostname, filename);
+ escaped_uri = g_escape_file_uri (hostname, filename, error);
return escaped_uri;
}
--
2.52.0

127
glib2-CVE-2025-13601-2.patch Normal file
View File

@@ -0,0 +1,127 @@
From 7e5489cb921d0531ee4ebc9938da30a02084b2fa Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 13 Nov 2025 18:31:43 +0000
Subject: [PATCH] fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
These functions could be called on untrusted input data, and since they
do URI escaping/unescaping, they have non-trivial string handling code.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
See: #3827
---
fuzzing/fuzz_filename_from_uri.c | 40 ++++++++++++++++++++++++++++++++
fuzzing/fuzz_filename_to_uri.c | 40 ++++++++++++++++++++++++++++++++
fuzzing/meson.build | 2 ++
3 files changed, 82 insertions(+)
create mode 100644 fuzzing/fuzz_filename_from_uri.c
create mode 100644 fuzzing/fuzz_filename_to_uri.c
diff --git a/fuzzing/fuzz_filename_from_uri.c b/fuzzing/fuzz_filename_from_uri.c
new file mode 100644
index 000000000..9b7a715f0
--- /dev/null
+++ b/fuzzing/fuzz_filename_from_uri.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+ unsigned char *nul_terminated_data = NULL;
+ char *filename = NULL;
+ GError *local_error = NULL;
+
+ fuzz_set_logging_func ();
+
+ /* ignore @size (g_filename_from_uri() doesnt support it); ensure @data is nul-terminated */
+ nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+ filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error);
+ g_free (nul_terminated_data);
+
+ g_free (filename);
+ g_clear_error (&local_error);
+
+ return 0;
+}
diff --git a/fuzzing/fuzz_filename_to_uri.c b/fuzzing/fuzz_filename_to_uri.c
new file mode 100644
index 000000000..acb319203
--- /dev/null
+++ b/fuzzing/fuzz_filename_to_uri.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+ unsigned char *nul_terminated_data = NULL;
+ char *uri = NULL;
+ GError *local_error = NULL;
+
+ fuzz_set_logging_func ();
+
+ /* ignore @size (g_filename_to_uri() doesnt support it); ensure @data is nul-terminated */
+ nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+ uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error);
+ g_free (nul_terminated_data);
+
+ g_free (uri);
+ g_clear_error (&local_error);
+
+ return 0;
+}
diff --git a/fuzzing/meson.build b/fuzzing/meson.build
index addbe9071..05f936eeb 100644
--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
@@ -25,6 +25,8 @@ fuzz_targets = [
'fuzz_date_parse',
'fuzz_date_time_new_from_iso8601',
'fuzz_dbus_message',
+ 'fuzz_filename_from_uri',
+ 'fuzz_filename_to_uri',
'fuzz_get_locale_variants',
'fuzz_inet_address_mask_new_from_string',
'fuzz_inet_address_new_from_string',
--
2.52.0

68
glib2-CVE-2025-14087-1.patch Normal file
View File

@@ -0,0 +1,68 @@
From 3e72fe0fbb32c18a66486c4da8bc851f656af287 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:02:56 +0000
Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
(byte)strings
The termination condition for parsing string and bytestring literals in
GVariant text format input was subject to an integer overflow for input
string (or bytestring) literals longer than `INT_MAX`.
Fix that by counting as a `size_t` rather than as an `int`. The counter
can never correctly be negative.
Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3834
---
glib/gvariant-parser.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index 2f1d3db9f..2d6e9856f 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -609,7 +609,7 @@ ast_resolve (AST *ast,
{
GVariant *value;
gchar *pattern;
- gint i, j = 0;
+ size_t i, j = 0;
pattern = ast_get_pattern (ast, error);
@@ -1637,9 +1637,9 @@ string_free (AST *ast)
*/
static gboolean
unicode_unescape (const gchar *src,
- gint *src_ofs,
+ size_t *src_ofs,
gchar *dest,
- gint *dest_ofs,
+ size_t *dest_ofs,
gsize length,
SourceRef *ref,
GError **error)
@@ -1700,7 +1700,7 @@ string_parse (TokenStream *stream,
gsize length;
gchar quote;
gchar *str;
- gint i, j;
+ size_t i, j;
token_stream_start_ref (stream, &ref);
token = token_stream_get (stream);
@@ -1833,7 +1833,7 @@ bytestring_parse (TokenStream *stream,
gsize length;
gchar quote;
gchar *str;
- gint i, j;
+ size_t i, j;
token_stream_start_ref (stream, &ref);
token = token_stream_get (stream);
--
2.52.0

239
glib2-CVE-2025-14087-2.patch Normal file
View File

@@ -0,0 +1,239 @@
From 6fe481cec709ec65b5846113848723bc25a8782a Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:19:16 +0000
Subject: [PATCH] gvariant-parser: Use size_t to count numbers of child
elements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rather than using `gint`, which could overflow for arrays (or dicts, or
tuples) longer than `INT_MAX`. There may be other limits which prevent
parsed containers becoming that long, but we might as well make the type
system reflect the programmers intention as best it can anyway.
For arrays and tuples this is straightforward. For dictionaries, its
slightly complicated by the fact that the code used
`dict->n_children == -1` to indicate that the `Dictionary` struct in
question actually represented a single freestanding dict entry. In
GVariant text format, that would be `{1, "one"}`.
The implementation previously didnt define the semantics of
`dict->n_children < -1`.
Now, instead, change `Dictionary.n_children` to `size_t`, and define a
magic value `DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY` to indicate that
the `Dictionary` represents a single freestanding dict entry.
This magic value is `SIZE_MAX`, and given that a dictionary entry takes
more than one byte to represent in GVariant text format, that means its
not possible to have that many entries in a parsed dictionary, so this
magic value wont be hit by a normal dictionary. An assertion checks
this anyway.
Spotted while working on #3834.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gvariant-parser.c | 58 ++++++++++++++++++++++++------------------
1 file changed, 33 insertions(+), 25 deletions(-)
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index 2d6e9856f..519baa3f3 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -662,9 +662,9 @@ static AST *parse (TokenStream *stream,
GError **error);
static void
-ast_array_append (AST ***array,
- gint *n_items,
- AST *ast)
+ast_array_append (AST ***array,
+ size_t *n_items,
+ AST *ast)
{
if ((*n_items & (*n_items - 1)) == 0)
*array = g_renew (AST *, *array, *n_items ? 2 ** n_items : 1);
@@ -673,10 +673,10 @@ ast_array_append (AST ***array,
}
static void
-ast_array_free (AST **array,
- gint n_items)
+ast_array_free (AST **array,
+ size_t n_items)
{
- gint i;
+ size_t i;
for (i = 0; i < n_items; i++)
ast_free (array[i]);
@@ -685,11 +685,11 @@ ast_array_free (AST **array,
static gchar *
ast_array_get_pattern (AST **array,
- gint n_items,
+ size_t n_items,
GError **error)
{
gchar *pattern;
- gint i;
+ size_t i;
/* Find the pattern which applies to all children in the array, by l-folding a
* coalesce operation.
@@ -721,7 +721,7 @@ ast_array_get_pattern (AST **array,
* pair of values.
*/
{
- int j = 0;
+ size_t j = 0;
while (TRUE)
{
@@ -969,7 +969,7 @@ typedef struct
AST ast;
AST **children;
- gint n_children;
+ size_t n_children;
} Array;
static gchar *
@@ -1002,7 +1002,7 @@ array_get_value (AST *ast,
Array *array = (Array *) ast;
const GVariantType *childtype;
GVariantBuilder builder;
- gint i;
+ size_t i;
if (!g_variant_type_is_array (type))
return ast_type_error (ast, type, error);
@@ -1088,7 +1088,7 @@ typedef struct
AST ast;
AST **children;
- gint n_children;
+ size_t n_children;
} Tuple;
static gchar *
@@ -1098,7 +1098,7 @@ tuple_get_pattern (AST *ast,
Tuple *tuple = (Tuple *) ast;
gchar *result = NULL;
gchar **parts;
- gint i;
+ size_t i;
parts = g_new (gchar *, tuple->n_children + 4);
parts[tuple->n_children + 1] = (gchar *) ")";
@@ -1128,7 +1128,7 @@ tuple_get_value (AST *ast,
Tuple *tuple = (Tuple *) ast;
const GVariantType *childtype;
GVariantBuilder builder;
- gint i;
+ size_t i;
if (!g_variant_type_is_tuple (type))
return ast_type_error (ast, type, error);
@@ -1320,9 +1320,16 @@ typedef struct
AST **keys;
AST **values;
- gint n_children;
+
+ /* Iff this is DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY then this struct
+ * represents a single freestanding dict entry (`{1, "one"}`) rather than a
+ * full dict. In the freestanding case, @keys and @values have exactly one
+ * member each. */
+ size_t n_children;
} Dictionary;
+#define DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY ((size_t) -1)
+
static gchar *
dictionary_get_pattern (AST *ast,
GError **error)
@@ -1337,7 +1344,7 @@ dictionary_get_pattern (AST *ast,
return g_strdup ("Ma{**}");
key_pattern = ast_array_get_pattern (dict->keys,
- abs (dict->n_children),
+ (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? 1 : dict->n_children,
error);
if (key_pattern == NULL)
@@ -1368,7 +1375,7 @@ dictionary_get_pattern (AST *ast,
return NULL;
result = g_strdup_printf ("M%s{%c%s}",
- dict->n_children > 0 ? "a" : "",
+ (dict->n_children > 0 && dict->n_children != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? "a" : "",
key_char, value_pattern);
g_free (value_pattern);
@@ -1382,7 +1389,7 @@ dictionary_get_value (AST *ast,
{
Dictionary *dict = (Dictionary *) ast;
- if (dict->n_children == -1)
+ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
{
const GVariantType *subtype;
GVariantBuilder builder;
@@ -1415,7 +1422,7 @@ dictionary_get_value (AST *ast,
{
const GVariantType *entry, *key, *val;
GVariantBuilder builder;
- gint i;
+ size_t i;
if (!g_variant_type_is_subtype_of (type, G_VARIANT_TYPE_DICTIONARY))
return ast_type_error (ast, type, error);
@@ -1456,12 +1463,12 @@ static void
dictionary_free (AST *ast)
{
Dictionary *dict = (Dictionary *) ast;
- gint n_children;
+ size_t n_children;
- if (dict->n_children > -1)
- n_children = dict->n_children;
- else
+ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
n_children = 1;
+ else
+ n_children = dict->n_children;
ast_array_free (dict->keys, n_children);
ast_array_free (dict->values, n_children);
@@ -1479,7 +1486,7 @@ dictionary_parse (TokenStream *stream,
maybe_wrapper, dictionary_get_value,
dictionary_free
};
- gint n_keys, n_values;
+ size_t n_keys, n_values;
gboolean only_one;
Dictionary *dict;
AST *first;
@@ -1522,7 +1529,7 @@ dictionary_parse (TokenStream *stream,
goto error;
g_assert (n_keys == 1 && n_values == 1);
- dict->n_children = -1;
+ dict->n_children = DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY;
return (AST *) dict;
}
@@ -1555,6 +1562,7 @@ dictionary_parse (TokenStream *stream,
}
g_assert (n_keys == n_values);
+ g_assert (n_keys != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY);
dict->n_children = n_keys;
return (AST *) dict;
--
2.52.0

149
glib2-CVE-2025-14087-3.patch Normal file
View File

@@ -0,0 +1,149 @@
From dd333a40aa95819720a01caf6de564cd8a4a6310 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:25:58 +0000
Subject: [PATCH] gvariant-parser: Convert error handling code to use size_t
The error handling code allows for printing out the range of input bytes
related to a parsing error. This was previously done using `gint`, but
the input could be longer than `INT_MAX`, so it should really be done
using `size_t`.
Spotted while working on #3834.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gvariant-parser.c | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index 519baa3f3..1b1ddd654 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -91,7 +91,9 @@ g_variant_parser_get_error_quark (void)
typedef struct
{
- gint start, end;
+ /* Offsets from the start of the input, in bytes. Can be equal when referring
+ * to a point rather than a range. The invariant `end >= start` always holds. */
+ size_t start, end;
} SourceRef;
G_GNUC_PRINTF(5, 0)
@@ -106,14 +108,16 @@ parser_set_error_va (GError **error,
GString *msg = g_string_new (NULL);
if (location->start == location->end)
- g_string_append_printf (msg, "%d", location->start);
+ g_string_append_printf (msg, "%" G_GSIZE_FORMAT, location->start);
else
- g_string_append_printf (msg, "%d-%d", location->start, location->end);
+ g_string_append_printf (msg, "%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
+ location->start, location->end);
if (other != NULL)
{
g_assert (other->start != other->end);
- g_string_append_printf (msg, ",%d-%d", other->start, other->end);
+ g_string_append_printf (msg, ",%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
+ other->start, other->end);
}
g_string_append_c (msg, ':');
@@ -140,11 +144,15 @@ parser_set_error (GError **error,
typedef struct
{
+ /* We should always have the following ordering constraint:
+ * start <= this <= stream <= end
+ * Additionally, unless in an error or EOF state, `this < stream`.
+ */
const gchar *start;
const gchar *stream;
const gchar *end;
- const gchar *this;
+ const gchar *this; /* (nullable) */
} TokenStream;
@@ -175,7 +183,7 @@ token_stream_set_error (TokenStream *stream,
static gboolean
token_stream_prepare (TokenStream *stream)
{
- gint brackets = 0;
+ gssize brackets = 0;
const gchar *end;
if (stream->this != NULL)
@@ -407,7 +415,7 @@ static void
pattern_copy (gchar **out,
const gchar **in)
{
- gint brackets = 0;
+ gssize brackets = 0;
while (**in == 'a' || **in == 'm' || **in == 'M')
*(*out)++ = *(*in)++;
@@ -2765,7 +2773,7 @@ g_variant_builder_add_parsed (GVariantBuilder *builder,
static gboolean
parse_num (const gchar *num,
const gchar *limit,
- guint *result)
+ size_t *result)
{
gchar *endptr;
gint64 bignum;
@@ -2775,10 +2783,12 @@ parse_num (const gchar *num,
if (endptr != limit)
return FALSE;
+ /* The upper bound here is more restrictive than it technically needs to be,
+ * but should be enough for any practical situation: */
if (bignum < 0 || bignum > G_MAXINT)
return FALSE;
- *result = (guint) bignum;
+ *result = (size_t) bignum;
return TRUE;
}
@@ -2789,7 +2799,7 @@ add_last_line (GString *err,
{
const gchar *last_nl;
gchar *chomped;
- gint i;
+ size_t i;
/* This is an error at the end of input. If we have a file
* with newlines, that's probably the empty string after the
@@ -2934,7 +2944,7 @@ g_variant_parse_error_print_context (GError *error,
if (dash == NULL || colon < dash)
{
- guint point;
+ size_t point;
/* we have a single point */
if (!parse_num (error->message, colon, &point))
@@ -2952,7 +2962,7 @@ g_variant_parse_error_print_context (GError *error,
/* We have one or two ranges... */
if (comma && comma < colon)
{
- guint start1, end1, start2, end2;
+ size_t start1, end1, start2, end2;
const gchar *dash2;
/* Two ranges */
@@ -2968,7 +2978,7 @@ g_variant_parse_error_print_context (GError *error,
}
else
{
- guint start, end;
+ size_t start, end;
/* One range */
if (!parse_num (error->message, dash, &start) || !parse_num (dash + 1, colon, &end))
--
2.52.0

69
glib2-CVE-2025-14512.patch Normal file
View File

@@ -0,0 +1,69 @@
From 4f0399c0aaf3ffc86b5625424580294bc7460404 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 4 Dec 2025 16:37:19 +0000
Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
byte strings
The number of invalid characters in the byte string (characters which
would have to be percent-encoded) was only stored in an `int`, which
gave the possibility of a long string largely full of invalid
characters overflowing this and allowing an attacker-controlled buffer
size to be allocated.
This could be triggered by an attacker controlled file attribute (of
type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
being read by user code.
Spotted by Codean Labs.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3845
---
gio/gfileattribute.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
index c6fde60fa..d3083e5bd 100644
--- a/gio/gfileattribute.c
+++ b/gio/gfileattribute.c
@@ -22,6 +22,7 @@
#include "config.h"
+#include <stdint.h>
#include <string.h>
#include "gfileattribute.h"
@@ -166,11 +167,12 @@ valid_char (char c)
return c >= 32 && c <= 126 && c != '\\';
}
+/* Returns NULL on error */
static char *
escape_byte_string (const char *str)
{
size_t i, len;
- int num_invalid;
+ size_t num_invalid;
char *escaped_val, *p;
unsigned char c;
const char hex_digits[] = "0123456789abcdef";
@@ -188,7 +190,12 @@ escape_byte_string (const char *str)
return g_strdup (str);
else
{
- escaped_val = g_malloc (len + num_invalid*3 + 1);
+ /* Check for overflow. We want to check the inequality:
+ * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+ if (num_invalid >= (SIZE_MAX - len) / 3)
+ return NULL;
+
+ escaped_val = g_malloc (len + num_invalid * 3 + 1);
p = escaped_val;
for (i = 0; i < len; i++)
--
2.52.0

57
glib2-CVE-2026-0988.patch
View File

@@ -1,57 +0,0 @@
From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 18 Dec 2025 23:12:18 +0000
Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
peek()
If the caller provides `offset` and `count` arguments which overflow,
their sum will overflow and could lead to `memcpy()` reading out more
memory than expected.
Spotted by Codean Labs.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3851
---
gio/gbufferedinputstream.c | 2 +-
gio/tests/buffered-input-stream.c | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
index 9e6bacc62..56d656be0 100644
--- a/gio/gbufferedinputstream.c
+++ b/gio/gbufferedinputstream.c
@@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
available = g_buffered_input_stream_get_available (stream);
- if (offset > available)
+ if (offset > available || offset > G_MAXSIZE - count)
return 0;
end = MIN (offset + count, available);
diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
index a1af4eeff..2b2a0d9aa 100644
--- a/gio/tests/buffered-input-stream.c
+++ b/gio/tests/buffered-input-stream.c
@@ -60,6 +60,16 @@ test_peek (void)
g_assert_cmpint (npeek, ==, 0);
g_free (buffer);
+ buffer = g_new0 (char, 64);
+ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
+ buffer = g_new0 (char, 64);
+ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
g_object_unref (in);
g_object_unref (base);
}
--
2.52.0

147
glib2.changes
View File

@@ -1,144 +1,19 @@
-------------------------------------------------------------------
Wed Jan 21 16:28:18 UTC 2026 - Michael Gorse <mgorse@suse.com>
Thu Dec 11 19:38:27 UTC 2025 - Michael Gorse <mgorse@suse.com>
- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
glgo#GNOME/glib#3851).
-------------------------------------------------------------------
Mon Dec 8 19:35:09 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 2.86.3:
+ Fix several security vulnerabilities of varying severity (see
below for details):
+ Bugs fixed:
- (CVE-2025-13601) (#YWH-PGM9867-134) Incorrect calculation of
buffer size in g_escape_uri_string()
- (#YWH-PGM9867-145) Buffer underflow on Glib through
glib/gvariant via bytestring_parse() or string_parse() leads
to OOB Write
- GIO: Integer overflow in file attribute escaping
- G_FILE_MONITOR_WATCH_HARD_LINK does not monitor files on
Windows
- gconvert: Error out if g_escape_uri_string() would overflow
- gvariant-parser: Fix potential integer overflow parsing
(byte)strings
- gfileattribute: Fix integer overflow calculating escaping for
byte strings
-------------------------------------------------------------------
Tue Nov 18 22:08:32 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 2.86.2:
+ Fix tests when run against pcre2 10.47
+ Bugs fixed:
- GRegex tests fail with pcre2 10.47: different error for
^(a)\g{3
- g_get_user_special_dir doesn't strip trailing slash from
$HOME/
- gresolver: Fix loopback detection of IPv6 addresses
- gregex: Handle PCRE2_ERROR_MISSING_NUMBER_TERMINATOR if
defined
- Fix g_memory_monitor_base_query_mem_ratio on Solaris
- gutils: Strip all trailing slashes
-------------------------------------------------------------------
Fri Nov 14 08:32:24 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
- dbus-launch only works with dbus-1-daemon, not dbus-broker
[bnc#1253497]
-------------------------------------------------------------------
Fri Nov 14 08:23:46 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 2.86.1+11:
+ gregex: Handle PCRE2_ERROR_MISSING_NUMBER_TERMINATOR if
defined.
+ gutils: Strip all trailing slashes (boo#1253163)
+ gio: add fallback implementation of
g_memory_monitor_base_query_mem_ratio.
-------------------------------------------------------------------
Tue Oct 21 14:50:21 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 2.86.1:
+ Bugs fixed:
- GIRepository: union fields offsets for compiled typelibs all
have offset 0xffff
- `gio/tests/socket-listener` requires dlsym
- GLib.OptionContext's get_help() includes width of invisible
options
- Memory leak related to g_get_home_dir
- Gio.AppInfo.launch_default_for_uri_async crashes with
non-existent paths
- GNetworkMonitor's netlink backend doesn't notify connectivity
change
- ghash: Fix entry_is_big for CHERI architecture
- ghash: Handle all table sizes in iterator
- gbookmarkfile: Escape icon href and mime-type
- docs: Add Luca Bacci as a co-maintainer of the Windows code
- tests: Fix clang compilation warnings
- gmem: Replace SIZE_OVERFLOWS with g_size_checked_mul
- gstrfuncs: Check string length in g_strescape
- gutils: Improve load_user_special_dirs' user-dirs.dirs parser
- gutils: Handle singletons in unlocked functions
- ghostutils: Treat 0x80 (and above) as non-ASCII
- various fixes to user-dirs.dirs handling in gutils
- girnode: Fix computation of union member offsets
- gopenuriportal: Fix a crash when the file cant be opened
- gtype: Use transfer none for types (un)ref functions
- gnetworkmonitorbase: Add missing notify::connectivity signal
+ Updated translations.
-------------------------------------------------------------------
Fri Sep 5 15:16:30 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 2.86.0:
+ Rework how platform-specific introspected GIO APIs have to be
imported to fix problems with backwards-compatibility provision
for it, by removing duplicate platform-specific symbols from
`Gio-2.0`.
+ Fix file existence queries on Solaris, broken due to unexpected
flags handling within `faccessat()`
+ Updated translations
-------------------------------------------------------------------
Wed Aug 27 06:50:24 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 2.85.4:
+ Follow symlink (instead of overwriting it) when updating
`mimeapps.list`
- Changes from version 2.85.3:
+ Fix encoding of output from `g_print()` and `g_printerr()` when
locale is set to `.utf8` on Windows.
- Changes from version 2.85.2:
+ New Linux PSI based backend for `GMemoryMonitor` as an option
to use instead of the existing Low Memory Monitor daemon
backend.
- Changes from version 2.85.1:
+ Re-add the option of a singleton to `GIRepository`.
+ Add support for the `e` flag (O_CLOEXEC) to `g_fopen()`
+ Make the `sysprof` Meson option yield when using GLib as a
subproject
+ Use the Meson built-in `localedir` option
- Changes from version 2.85.0:
+ Preserve mode for existing file when creating a temporary file
for atomic updates with g_file_set_contents()
+ Fix race conditions between g_main_context_unref() and
g_source_*() methods
+ Allow file handles inside nested containers when using the
`gdbus call` command
+ Fix DNS resolution of local addresses in offline mode
+ Various performance improvements to GObject locking
+ Prefer matches occurring earlier in the string when searching
`GDesktopAppInfo`s, improving search for apps in gnome-shell
+ Fix thread safety of `GClosure` flags
+ Updated translations.
- Add CVE fixes:
+ glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch
(bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827).
+ glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch,
glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087
glgo#GNOME/glib#3834).
+ glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512
glgo#GNOME/glib#3845).
-------------------------------------------------------------------
Fri Aug 8 18:05:27 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 2.84.4:
- Update to version 2.84.4 (bsc#1249055):
+ Bugs fixed:
- (CVE-2025-7039) (#YWH-PGM9867-104) Buffer Under-read on GLib
through glib/gfileutils.c via get_tmp_file()
@@ -8167,7 +8042,7 @@ Thu Apr 12 16:41:43 CDT 2007 - maw@suse.de
- Pass --enable-static to configure (#263998).
-------------------------------------------------------------------
Wed Mar 21 12:38:24 UTC 2007 - maw@suse.de
Wed Mar 21 12:38:24 CST 2007 - maw@suse.de
- Update to version 2.12.11
- Fixes for bugzilla.gnome.org 399611, 350802, 416062, 346808,

22
glib2.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package glib2
#
# Copyright (c) 2026 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -37,7 +37,7 @@
%define libgthread libgthread-%{libver}
%define libgirepository libgirepository-%{libver}
Name: glib2%{psuffix}
Version: 2.86.3
Version: 2.84.4
Release: 0
Summary: General-Purpose Utility Library
License: LGPL-2.1-or-later
@@ -65,8 +65,18 @@ Patch1: glib2-fate300461-gettext-gkeyfile-suse.patch
Patch2: glib2-suppress-schema-deprecated-path-warning.patch
# PATCH-FIX-OPENSUSE glib2-gdbus-codegen-version.patch olaf@aepfle.de -- Remove version string from files generated by gdbus-codegen
Patch4: glib2-gdbus-codegen-version.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2026-0988.patch bsc#1256049 mgorse@suse.com -- fix a potential integer overflow in g_buffered_input_stream_peek.
Patch5: glib2-CVE-2026-0988.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2025-13601-1.patch bsc#1254297 mgorse@suse.com -- gconvert: Error out if g_escape_uri_string() would overflow.
Patch5: glib2-CVE-2025-13601-1.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2025-13601-2.patch bsc#1254297 mgorse@suse.com -- add fuzz tests for g_filename_{to,from}_uri().
Patch6: glib2-CVE-2025-13601-2.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2025-14087-1.patch bsc#1254662 mgorse@suse.com -- gvariant-parser: Fix potential integer overflow parsing (byte)strings.
Patch7: glib2-CVE-2025-14087-1.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2025-14087-2.patch bsc#1254662 mgorse@suse.com -- gvariant-parser: Use size_t to count numbers of child elements.
Patch8: glib2-CVE-2025-14087-2.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2025-14087-3.patch bsc#1254662 mgorse@suse.com -- gvariant-parser: Convert error handling code to use size_t.
Patch9: glib2-CVE-2025-14087-3.patch
# PATCH-FIX-UPSTREAM glib2-CVE-2025-14512.patch bsc#1254878 mgorse@suse.com -- gfileattribute: Fix interger overflow calculating escaping for byte strings.
Patch10: glib2-CVE-2025-14512.patch
BuildRequires: docbook-xsl-stylesheets
BuildRequires: fdupes
BuildRequires: gcc-c++
@@ -233,8 +243,8 @@ Group: System/Libraries
# The tools are useful for people having libgio
# bnc#555605: shared-mime-info is required by libgio to properly detect mime types, but not during build
#!BuildIgnore: shared-mime-info
# bnc#1253497: dbus-launch only works with dbus-1-daemon, not dbus-broker
Requires: (%{_bindir}/dbus-launch if dbus-1-daemon)
# bnc#678518: libgio interacts with others by means of dbus-launch
Requires: (%{_bindir}/dbus-launch if dbus-service)
Requires: %{name}-tools
Requires: gio-branding = %{version}
Requires: shared-mime-info