Accepting request 1328598 from GNOME:Factory

OBS-URL: https://build.opensuse.org/request/show/1328598
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glib2?expand=0&rev=301

_service

@@ -3,7 +3,7 @@
   <service name="obs_scm" mode="manual">
     <param name="scm">git</param>
     <param name="url">https://gitlab.gnome.org/GNOME/glib.git</param>
-    <param name="revision">2.84.3</param>
+    <param name="revision">2.86.3</param>
     <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
     <param name="versionrewrite-pattern">(.*)\+0</param>
     <param name="versionrewrite-replacement">\1</param>

glib-2.86.3.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b124dd8bce608149d16f5276a2e5ef9464d9ae72bd219312775003fa3a0aab30
+size 52911118

glib.obsinfo

@@ -1,4 +1,4 @@
 name: glib
-version: 2.84.3
-mtime: 1749815759
-commit: 78cd78d2988616d9af0e8f43e703717d092cd3ff
+version: 2.86.3
+mtime: 1765208766
+commit: 7a54787e16ceb20cecda8ad6caab05b24a61e414

glib2-CVE-2026-0988.patch

@@ -0,0 +1,57 @@
+From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 18 Dec 2025 23:12:18 +0000
+Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
+ peek()
+
+If the caller provides `offset` and `count` arguments which overflow,
+their sum will overflow and could lead to `memcpy()` reading out more
+memory than expected.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3851
+---
+ gio/gbufferedinputstream.c        |  2 +-
+ gio/tests/buffered-input-stream.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
+index 9e6bacc62..56d656be0 100644
+--- a/gio/gbufferedinputstream.c
++++ b/gio/gbufferedinputstream.c
+@@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
+ 
+   available = g_buffered_input_stream_get_available (stream);
+ 
+-  if (offset > available)
++  if (offset > available || offset > G_MAXSIZE - count)
+     return 0;
+ 
+   end = MIN (offset + count, available);
+diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
+index a1af4eeff..2b2a0d9aa 100644
+--- a/gio/tests/buffered-input-stream.c
++++ b/gio/tests/buffered-input-stream.c
+@@ -60,6 +60,16 @@ test_peek (void)
+   g_assert_cmpint (npeek, ==, 0);
+   g_free (buffer);
+ 
++  buffer = g_new0 (char, 64);
++  npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
++  g_assert_cmpint (npeek, ==, 0);
++  g_free (buffer);
++
++  buffer = g_new0 (char, 64);
++  npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
++  g_assert_cmpint (npeek, ==, 0);
++  g_free (buffer);
++
+   g_object_unref (in);
+   g_object_unref (base);
+ }
+-- 
+2.52.0
+

glib2.changes

@@ -1,3 +1,157 @@
+-------------------------------------------------------------------
+Wed Jan 21 16:28:18 UTC 2026 - Michael Gorse <mgorse@suse.com>
+
+- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
+  in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
+  glgo#GNOME/glib#3851).
+
+-------------------------------------------------------------------
+Mon Dec  8 19:35:09 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.86.3:
+  + Fix several security vulnerabilities of varying severity (see
+    below for details):
+  + Bugs fixed:
+    - (CVE-2025-13601) (#YWH-PGM9867-134) Incorrect calculation of
+      buffer size in g_escape_uri_string()
+    - (#YWH-PGM9867-145) Buffer underflow on Glib through
+      glib/gvariant via bytestring_parse() or string_parse() leads
+      to OOB Write
+    - GIO: Integer overflow in file attribute escaping
+    - G_FILE_MONITOR_WATCH_HARD_LINK does not monitor files on
+      Windows
+    - gconvert: Error out if g_escape_uri_string() would overflow
+    - gvariant-parser: Fix potential integer overflow parsing
+      (byte)strings
+    - gfileattribute: Fix integer overflow calculating escaping for
+      byte strings
+
+-------------------------------------------------------------------
+Tue Nov 18 22:08:32 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.86.2:
+  + Fix tests when run against pcre2 10.47
+  + Bugs fixed:
+    - GRegex tests fail with pcre2 10.47: different error for
+      ^(a)\g{3
+    - g_get_user_special_dir doesn't strip trailing slash from
+      $HOME/
+    - gresolver: Fix loopback detection of IPv6 addresses
+    - gregex: Handle PCRE2_ERROR_MISSING_NUMBER_TERMINATOR if
+      defined
+    - Fix g_memory_monitor_base_query_mem_ratio on Solaris
+    - gutils: Strip all trailing slashes
+
+-------------------------------------------------------------------
+Fri Nov 14 08:32:24 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- dbus-launch only works with dbus-1-daemon, not dbus-broker
+  [bnc#1253497]
+
+-------------------------------------------------------------------
+Fri Nov 14 08:23:46 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.86.1+11:
+  + gregex: Handle PCRE2_ERROR_MISSING_NUMBER_TERMINATOR if
+    defined.
+  + gutils: Strip all trailing slashes (boo#1253163)
+  + gio: add fallback implementation of
+    g_memory_monitor_base_query_mem_ratio.
+
+-------------------------------------------------------------------
+Tue Oct 21 14:50:21 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.86.1:
+  + Bugs fixed:
+    - GIRepository: union fields offsets for compiled typelibs all
+      have offset 0xffff
+    - `gio/tests/socket-listener` requires dlsym
+    - GLib.OptionContext's get_help() includes width of invisible
+      options
+    - Memory leak related to g_get_home_dir
+    - Gio.AppInfo.launch_default_for_uri_async crashes with
+      non-existent paths
+    - GNetworkMonitor's netlink backend doesn't notify connectivity
+      change
+    - ghash: Fix entry_is_big for CHERI architecture
+    - ghash: Handle all table sizes in iterator
+    - gbookmarkfile: Escape icon href and mime-type
+    - docs: Add Luca Bacci as a co-maintainer of the Windows code
+    - tests: Fix clang compilation warnings
+    - gmem: Replace SIZE_OVERFLOWS with g_size_checked_mul
+    - gstrfuncs: Check string length in g_strescape
+    - gutils: Improve load_user_special_dirs' user-dirs.dirs parser
+    - gutils: Handle singletons in unlocked functions
+    - ghostutils: Treat 0x80 (and above) as non-ASCII
+    - various fixes to user-dirs.dirs handling in gutils
+    - girnode: Fix computation of union member offsets
+    - gopenuriportal: Fix a crash when the file can’t be opened
+    - gtype: Use transfer none for types (un)ref functions
+    - gnetworkmonitorbase: Add missing notify::connectivity signal
+  + Updated translations.
+
+-------------------------------------------------------------------
+Fri Sep  5 15:16:30 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.86.0:
+  + Rework how platform-specific introspected GIO APIs have to be
+    imported to fix problems with backwards-compatibility provision
+    for it, by removing duplicate platform-specific symbols from
+    `Gio-2.0`.
+  + Fix file existence queries on Solaris, broken due to unexpected
+    flags handling within `faccessat()`
+  + Updated translations
+
+-------------------------------------------------------------------
+Wed Aug 27 06:50:24 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.85.4:
+  + Follow symlink (instead of overwriting it) when updating
+    `mimeapps.list`
+- Changes from version 2.85.3:
+  + Fix encoding of output from `g_print()` and `g_printerr()` when
+    locale is set to `.utf8` on Windows.
+- Changes from version 2.85.2:
+  + New Linux PSI based backend for `GMemoryMonitor` as an option
+    to use instead of the existing Low Memory Monitor daemon
+    backend.
+- Changes from version 2.85.1:
+  + Re-add the option of a singleton to `GIRepository`.
+  + Add support for the `e` flag (O_CLOEXEC) to `g_fopen()`
+  + Make the `sysprof` Meson option yield when using GLib as a
+    subproject
+  + Use the Meson built-in `localedir` option
+- Changes from version 2.85.0:
+  + Preserve mode for existing file when creating a temporary file
+    for atomic updates with g_file_set_contents()
+  + Fix race conditions between g_main_context_unref() and
+    g_source_*() methods
+  + Allow file handles inside nested containers when using the
+    `gdbus call` command
+  + Fix DNS resolution of local addresses in offline mode
+  + Various performance improvements to GObject locking
+  + Prefer matches occurring earlier in the string when searching
+    `GDesktopAppInfo`s, improving search for apps in gnome-shell
+  + Fix thread safety of `GClosure` flags
+  + Updated translations.
+
+-------------------------------------------------------------------
+Fri Aug  8 18:05:27 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.84.4:
+  + Bugs fixed:
+    - (CVE-2025-7039) (#YWH-PGM9867-104) Buffer Under-read on GLib
+      through glib/gfileutils.c via get_tmp_file()
+    - GFile leak in g_local_file_set_display_name during error
+      handling
+    - Incorrect output parameter handling in closure helper of
+      g_settings_bind_with_mapping_closures
+    - gfileutils: fix computation of temporary file name
+    - Fix GFile leak in  g_local_file_set_display_name()
+    - gthreadpool: Catch pool_spawner creation failure
+    - gio/filenamecompleter: Fix leaks
+    - gfilenamecompleter: Fix g_object_unref() of undefined value
+
 -------------------------------------------------------------------
 Fri Jun 13 15:09:25 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
 
@@ -8013,7 +8167,7 @@ Thu Apr 12 16:41:43 CDT 2007 - maw@suse.de
 - Pass --enable-static to configure (#263998).
 
 -------------------------------------------------------------------
-Wed Mar 21 12:38:24 CST 2007 - maw@suse.de
+Wed Mar 21 12:38:24 UTC 2007 - maw@suse.de
 
 - Update to version 2.12.11
 - Fixes for bugzilla.gnome.org 399611, 350802, 416062, 346808,

glib2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package glib2
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,7 +37,7 @@
 %define libgthread libgthread-%{libver}
 %define libgirepository libgirepository-%{libver}
 Name:           glib2%{psuffix}
-Version:        2.84.3
+Version:        2.86.3
 Release:        0
 Summary:        General-Purpose Utility Library
 License:        LGPL-2.1-or-later
@@ -65,6 +65,8 @@ Patch1:         glib2-fate300461-gettext-gkeyfile-suse.patch
 Patch2:         glib2-suppress-schema-deprecated-path-warning.patch
 # PATCH-FIX-OPENSUSE glib2-gdbus-codegen-version.patch  olaf@aepfle.de -- Remove version string from files generated by gdbus-codegen
 Patch4:         glib2-gdbus-codegen-version.patch
+# PATCH-FIX-UPSTREAM glib2-CVE-2026-0988.patch bsc#1256049 mgorse@suse.com -- fix a potential integer overflow in g_buffered_input_stream_peek.
+Patch5:         glib2-CVE-2026-0988.patch
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
@@ -231,8 +233,8 @@ Group:          System/Libraries
 # The tools are useful for people having libgio
 # bnc#555605: shared-mime-info is required by libgio to properly detect mime types, but not during build
 #!BuildIgnore:  shared-mime-info
-# bnc#678518: libgio interacts with others by means of dbus-launch
-Requires:       (%{_bindir}/dbus-launch if dbus-service)
+# bnc#1253497: dbus-launch only works with dbus-1-daemon, not dbus-broker
+Requires:       (%{_bindir}/dbus-launch if dbus-1-daemon)
 Requires:       %{name}-tools
 Requires:       gio-branding = %{version}
 Requires:       shared-mime-info