new file mode 100644
@@ -0,0 +1,97 @@
+From 6aa97beda32bb337370858862f4efe2f3372619f Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 7 Jul 2025 20:52:24 +0200
+Subject: [PATCH] gstring: Fix g_string_sized_new segmentation fault
+
+If glib is compiled with -Dglib_assert=false, i.e. no asserts
+enabled, then g_string_sized_new(G_MAXSIZE) leads to a segmentation
+fault due to an out of boundary write.
+
+This happens because the overflow check was moved into
+g_string_maybe_expand which is not called by g_string_sized_new.
+
+By assuming that string->allocated_len is always larger than
+string->len (and the code would be in huge trouble if that is not true),
+the G_UNLIKELY check in g_string_maybe_expand can be rephrased to
+avoid a potential G_MAXSIZE overflow.
+
+This in turn leads to 150-200 bytes smaller compiled library
+depending on gcc and clang versions, and one less check for the most
+common code paths.
+
+Reverts https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655 and
+reorders internal g_string_maybe_expand check to still fix
+CVE-2025-6052.
+
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6aa97beda32bb337370858862f4efe2f3372619f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.c | 10 +++++-----
+ glib/tests/string.c | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/glib/gstring.c b/glib/gstring.c
+index 010a8e976..24c4bfb40 100644
+--- a/glib/gstring.c
++++ b/glib/gstring.c
+@@ -68,6 +68,10 @@ static void
+ g_string_expand (GString *string,
+ gsize len)
+ {
++ /* Detect potential overflow */
++ if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
++ g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
++
+ string->allocated_len = g_nearest_pow (string->len + len + 1);
+ /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
+ * memory for this string and don't over-allocate.
+@@ -82,11 +86,7 @@ static inline void
+ g_string_maybe_expand (GString *string,
+ gsize len)
+ {
+- /* Detect potential overflow */
+- if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+- g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+-
+- if (G_UNLIKELY (string->len + len >= string->allocated_len))
++ if (G_UNLIKELY (len >= string->allocated_len - string->len))
+ g_string_expand (string, len);
+ }
+
+diff --git a/glib/tests/string.c b/glib/tests/string.c
+index aa363c57a..e3bc4a02e 100644
+--- a/glib/tests/string.c
++++ b/glib/tests/string.c
+@@ -767,6 +767,23 @@ test_string_new_take_null (void)
+ g_string_free (g_steal_pointer (&string), TRUE);
+ }
+
++static void
++test_string_sized_new (void)
++{
++
++ if (g_test_subprocess ())
++ {
++ GString *string = g_string_sized_new (G_MAXSIZE);
++ g_string_free (string, TRUE);
++ }
++ else
++ {
++ g_test_trap_subprocess (NULL, 0, G_TEST_SUBPROCESS_DEFAULT);
++ g_test_trap_assert_failed ();
++ g_test_trap_assert_stderr ("*string would overflow*");
++ }
++}
++
+ int
+ main (int argc,
+ char *argv[])
+@@ -796,6 +813,7 @@ main (int argc,
+ g_test_add_func ("/string/test-string-steal", test_string_steal);
+ g_test_add_func ("/string/test-string-new-take", test_string_new_take);
+ g_test_add_func ("/string/test-string-new-take/null", test_string_new_take_null);
++ g_test_add_func ("/string/sized-new", test_string_sized_new);
+
+ return g_test_run();
+ }
new file mode 100644
@@ -0,0 +1,35 @@
+From 3752760c5091eaed561ec11636b069e529533514 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 7 Jul 2025 20:57:41 +0200
+Subject: [PATCH] gstring: Improve g_string_append_len_inline checks
+
+Use the same style for the G_LIKELY check here as in g_string_sized_new.
+The check could overflow on 32 bit systems.
+
+Also improve the memcpy/memmove check to use memcpy if val itself is
+adjacent to end + len_unsigned, which means that no overlapping exists.
+
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/3752760c5091eaed561ec11636b069e529533514]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/glib/gstring.h b/glib/gstring.h
+index e817176c9..c5e64b33a 100644
+--- a/glib/gstring.h
++++ b/glib/gstring.h
+@@ -232,10 +232,10 @@ g_string_append_len_inline (GString *gstring,
+ else
+ len_unsigned = (gsize) len;
+
+- if (G_LIKELY (gstring->len + len_unsigned < gstring->allocated_len))
++ if (G_LIKELY (len_unsigned < gstring->allocated_len - gstring->len))
+ {
+ char *end = gstring->str + gstring->len;
+- if (G_LIKELY (val + len_unsigned <= end || val > end + len_unsigned))
++ if (G_LIKELY (val + len_unsigned <= end || val >= end + len_unsigned))
+ memcpy (end, val, len_unsigned);
+ else
+ memmove (end, val, len_unsigned);
@@ -231,8 +231,10 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
file://0010-Do-not-hardcode-python-path-into-various-tools.patch \
file://skip-timeout.patch \
+ file://CVE-2025-6052-1.patch \
+ file://CVE-2025-6052-2.patch \
"
-SRC_URI:append:class-native = " file://relocate-modules.patch \
+SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
"