| Message ID | 20250516114421.3941135-1-praveen.kumar@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap,1/1] glib-2.0 : fix CVE-2025-4373 | expand |
Small nitpick, but can you please use colon ':' with space after and without space before it? e.g. "connman :fix CVE-2025-32743" recently merged in scarthgap had the same issue. It's just cosmetic issue, but other commits use it quite consistently, so it would be nice to follow that. https://git.openembedded.org/openembedded-core/commit/?h=scarthgap&id=9558ec2091964556b47b0909c5d243aee5bafb6f https://git.openembedded.org/openembedded-core/log/?h=scarthgap Cheers, On Fri, May 16, 2025 at 1:44 PM Praveen Kumar via lists.openembedded.org <praveen.kumar=windriver.com@lists.openembedded.org> wrote: > > A flaw was found in GLib, which is vulnerable to an integer overflow > in the g_string_insert_unichar() function. When the position at which > to insert the character is large, the position will overflow, leading > to a buffer underwrite. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2025-4373 > https://security-tracker.debian.org/tracker/CVE-2025-4373 > > Upstream-patches: > https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3 > https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703 > > Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > .../glib-2.0/glib-2.0/CVE-2025-4373-01.patch | 120 ++++++++++++++++++ > .../glib-2.0/glib-2.0/CVE-2025-4373-02.patch | 29 +++++ > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 + > 3 files changed, 151 insertions(+) > create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch > create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch > > diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch > new file mode 100644 > index 0000000000..f99c4de7e1 > --- /dev/null > +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch > @@ -0,0 +1,120 @@ > +From cc647f9e46d55509a93498af19659baf9c80f2e3 Mon Sep 17 00:00:00 2001 > +From: Michael Catanzaro <mcatanzaro@redhat.com> > +Date: Thu, 10 Apr 2025 10:57:20 -0500 > +Subject: [PATCH 1/2] gstring: carefully handle gssize parameters > + > +Wherever we use gssize to allow passing -1, we need to ensure we don't > +overflow the value by assigning a gsize to it without checking if the > +size exceeds the maximum gssize. The safest way to do this is to just > +use normal gsize everywhere instead and use gssize only for the > +parameter. > + > +Our computers don't have enough RAM to write tests for this. I tried > +forcing string->len to high values for test purposes, but this isn't > +valid and will just cause out of bounds reads/writes due to > +string->allocated_len being unexpectedly small, so I don't think we can > +test this easily. > + > +CVE: CVE-2025-4373 > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3] > + > +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > +--- > + glib/gstring.c | 36 +++++++++++++++++++++++------------- > + 1 file changed, 23 insertions(+), 13 deletions(-) > + > +diff --git a/glib/gstring.c b/glib/gstring.c > +index 9f04144..d016b65 100644 > +--- a/glib/gstring.c > ++++ b/glib/gstring.c > +@@ -490,8 +490,9 @@ g_string_insert_len (GString *string, > + return string; > + > + if (len < 0) > +- len = strlen (val); > +- len_unsigned = len; > ++ len_unsigned = strlen (val); > ++ else > ++ len_unsigned = len; > + > + if (pos < 0) > + pos_unsigned = string->len; > +@@ -788,10 +789,12 @@ g_string_insert_c (GString *string, > + g_string_maybe_expand (string, 1); > + > + if (pos < 0) > +- pos = string->len; > ++ pos_unsigned = string->len; > + else > +- g_return_val_if_fail ((gsize) pos <= string->len, string); > +- pos_unsigned = pos; > ++ { > ++ pos_unsigned = pos; > ++ g_return_val_if_fail (pos_unsigned <= string->len, string); > ++ } > + > + /* If not just an append, move the old stuff */ > + if (pos_unsigned < string->len) > +@@ -824,6 +827,7 @@ g_string_insert_unichar (GString *string, > + gssize pos, > + gunichar wc) > + { > ++ gsize pos_unsigned; > + gint charlen, first, i; > + gchar *dest; > + > +@@ -865,15 +869,18 @@ g_string_insert_unichar (GString *string, > + g_string_maybe_expand (string, charlen); > + > + if (pos < 0) > +- pos = string->len; > ++ pos_unsigned = string->len; > + else > +- g_return_val_if_fail ((gsize) pos <= string->len, string); > ++ { > ++ pos_unsigned = pos; > ++ g_return_val_if_fail (pos_unsigned <= string->len, string); > ++ } > + > + /* If not just an append, move the old stuff */ > +- if ((gsize) pos < string->len) > +- memmove (string->str + pos + charlen, string->str + pos, string->len - pos); > ++ if (pos_unsigned < string->len) > ++ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned); > + > +- dest = string->str + pos; > ++ dest = string->str + pos_unsigned; > + /* Code copied from g_unichar_to_utf() */ > + for (i = charlen - 1; i > 0; --i) > + { > +@@ -931,6 +938,7 @@ g_string_overwrite_len (GString *string, > + const gchar *val, > + gssize len) > + { > ++ gssize len_unsigned; > + gsize end; > + > + g_return_val_if_fail (string != NULL, NULL); > +@@ -942,14 +950,16 @@ g_string_overwrite_len (GString *string, > + g_return_val_if_fail (pos <= string->len, string); > + > + if (len < 0) > +- len = strlen (val); > ++ len_unsigned = strlen (val); > ++ else > ++ len_unsigned = len; > + > +- end = pos + len; > ++ end = pos + len_unsigned; > + > + if (end > string->len) > + g_string_maybe_expand (string, end - string->len); > + > +- memcpy (string->str + pos, val, len); > ++ memcpy (string->str + pos, val, len_unsigned); > + > + if (end > string->len) > + { > +-- > +2.40.0 > diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch > new file mode 100644 > index 0000000000..ea586c90dc > --- /dev/null > +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch > @@ -0,0 +1,29 @@ > +From 4d435bb4809793c445846db8fb87e3c9184c4703 Mon Sep 17 00:00:00 2001 > +From: Peter Bloomfield <peterbloomfield@bellsouth.net> > +Date: Fri, 11 Apr 2025 05:52:33 +0000 > +Subject: [PATCH 2/2] gstring: Make len_unsigned unsigned > + > +CVE: CVE-2025-4373 > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703] > + > +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > +--- > + glib/gstring.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/glib/gstring.c b/glib/gstring.c > +index d016b65..d9ad0c3 100644 > +--- a/glib/gstring.c > ++++ b/glib/gstring.c > +@@ -938,7 +938,7 @@ g_string_overwrite_len (GString *string, > + const gchar *val, > + gssize len) > + { > +- gssize len_unsigned; > ++ gsize len_unsigned; > + gsize end; > + > + g_return_val_if_fail (string != NULL, NULL); > +-- > +2.40.0 > diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb > index 1a65f48399..e1a3b57270 100644 > --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb > +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb > @@ -27,6 +27,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ > file://CVE-2025-3360-04.patch \ > file://CVE-2025-3360-05.patch \ > file://CVE-2025-3360-06.patch \ > + file://CVE-2025-4373-01.patch \ > + file://CVE-2025-4373-02.patch \ > " > SRC_URI:append:class-native = " file://relocate-modules.patch \ > file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#216748): https://lists.openembedded.org/g/openembedded-core/message/216748 > Mute This Topic: https://lists.openembedded.org/mt/113143455/3617156 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [martin.jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch new file mode 100644 index 0000000000..f99c4de7e1 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch @@ -0,0 +1,120 @@ +From cc647f9e46d55509a93498af19659baf9c80f2e3 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@redhat.com> +Date: Thu, 10 Apr 2025 10:57:20 -0500 +Subject: [PATCH 1/2] gstring: carefully handle gssize parameters + +Wherever we use gssize to allow passing -1, we need to ensure we don't +overflow the value by assigning a gsize to it without checking if the +size exceeds the maximum gssize. The safest way to do this is to just +use normal gsize everywhere instead and use gssize only for the +parameter. + +Our computers don't have enough RAM to write tests for this. I tried +forcing string->len to high values for test purposes, but this isn't +valid and will just cause out of bounds reads/writes due to +string->allocated_len being unexpectedly small, so I don't think we can +test this easily. + +CVE: CVE-2025-4373 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3] + +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> +--- + glib/gstring.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index 9f04144..d016b65 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -490,8 +490,9 @@ g_string_insert_len (GString *string, + return string; + + if (len < 0) +- len = strlen (val); +- len_unsigned = len; ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + + if (pos < 0) + pos_unsigned = string->len; +@@ -788,10 +789,12 @@ g_string_insert_c (GString *string, + g_string_maybe_expand (string, 1); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); +- pos_unsigned = pos; ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ + if (pos_unsigned < string->len) +@@ -824,6 +827,7 @@ g_string_insert_unichar (GString *string, + gssize pos, + gunichar wc) + { ++ gsize pos_unsigned; + gint charlen, first, i; + gchar *dest; + +@@ -865,15 +869,18 @@ g_string_insert_unichar (GString *string, + g_string_maybe_expand (string, charlen); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ +- if ((gsize) pos < string->len) +- memmove (string->str + pos + charlen, string->str + pos, string->len - pos); ++ if (pos_unsigned < string->len) ++ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned); + +- dest = string->str + pos; ++ dest = string->str + pos_unsigned; + /* Code copied from g_unichar_to_utf() */ + for (i = charlen - 1; i > 0; --i) + { +@@ -931,6 +938,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { ++ gssize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +@@ -942,14 +950,16 @@ g_string_overwrite_len (GString *string, + g_return_val_if_fail (pos <= string->len, string); + + if (len < 0) +- len = strlen (val); ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + +- end = pos + len; ++ end = pos + len_unsigned; + + if (end > string->len) + g_string_maybe_expand (string, end - string->len); + +- memcpy (string->str + pos, val, len); ++ memcpy (string->str + pos, val, len_unsigned); + + if (end > string->len) + { +-- +2.40.0 diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch new file mode 100644 index 0000000000..ea586c90dc --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch @@ -0,0 +1,29 @@ +From 4d435bb4809793c445846db8fb87e3c9184c4703 Mon Sep 17 00:00:00 2001 +From: Peter Bloomfield <peterbloomfield@bellsouth.net> +Date: Fri, 11 Apr 2025 05:52:33 +0000 +Subject: [PATCH 2/2] gstring: Make len_unsigned unsigned + +CVE: CVE-2025-4373 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703] + +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> +--- + glib/gstring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index d016b65..d9ad0c3 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -938,7 +938,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { +- gssize len_unsigned; ++ gsize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +-- +2.40.0 diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index 1a65f48399..e1a3b57270 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -27,6 +27,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2025-3360-04.patch \ file://CVE-2025-3360-05.patch \ file://CVE-2025-3360-06.patch \ + file://CVE-2025-4373-01.patch \ + file://CVE-2025-4373-02.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite. References: https://nvd.nist.gov/vuln/detail/CVE-2025-4373 https://security-tracker.debian.org/tracker/CVE-2025-4373 Upstream-patches: https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3 https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> --- .../glib-2.0/glib-2.0/CVE-2025-4373-01.patch | 120 ++++++++++++++++++ .../glib-2.0/glib-2.0/CVE-2025-4373-02.patch | 29 +++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 + 3 files changed, 151 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch