new file mode 100644
@@ -0,0 +1,83 @@
+From 4dd540505d40babe488404f3174ec39f49a84485 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Mon, 4 Aug 2025 15:10:21 -0500
+Subject: [PATCH] openssl: properly check return value when writing to BIO
+ objects
+
+In particular, we will read out of bounds, and then write the invalid
+memory, if BIO_write() fails when getting the PROP_CERTIFICATE_PEM
+property. Here we attempt to check the return value, but the check is
+not correct.
+
+This also fixes a leak of the BIO in the same place.
+
+Also add error checking to PROP_SUBJECT_NAME and PROP_ISSUER_NAME, for
+good measure.
+
+Fixes #226
+
+CVE: CVE-2025-60018
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib-networking/-/commit/4dd540505d40babe488404f3174ec39f49a84485]
+
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index 648f3e8..b536559 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
++++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -362,15 +362,12 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_CERTIFICATE_PEM:
+ bio = BIO_new (BIO_s_mem ());
+
+- if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1))
+- certificate_pem = NULL;
+- else
++ if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+ {
+ BIO_get_mem_data (bio, &certificate_pem);
+ g_value_set_string (value, certificate_pem);
+-
+- BIO_free_all (bio);
+ }
++ BIO_free_all (bio);
+ break;
+
+ case PROP_PRIVATE_KEY:
+@@ -411,8 +408,12 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_SUBJECT_NAME:
+ bio = BIO_new (BIO_s_mem ());
+ name = X509_get_subject_name (openssl->cert);
+- X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+- BIO_write (bio, "\0", 1);
++ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
++ BIO_write (bio, "\0", 1) != 1)
++ {
++ BIO_free_all (bio);
++ break;
++ }
+ BIO_get_mem_data (bio, (char **)&name_string);
+ g_value_set_string (value, name_string);
+ BIO_free_all (bio);
+@@ -421,9 +422,13 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_ISSUER_NAME:
+ bio = BIO_new (BIO_s_mem ());
+ name = X509_get_issuer_name (openssl->cert);
+- X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+- BIO_write (bio, "\0", 1);
+- BIO_get_mem_data (bio, &name_string);
++ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
++ BIO_write (bio, "\0", 1) != 1)
++ {
++ BIO_free_all (bio);
++ break;
++ }
++ BIO_get_mem_data (bio, (char **)&name_string);
+ g_value_set_string (value, name_string);
+ BIO_free_all (bio);
+ break;
+--
+2.48.1
@@ -24,6 +24,7 @@ GNOMEBASEBUILDCLASS = "meson"
inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome
SRC_URI += "file://run-ptest"
+SRC_URI += "file://CVE-2025-60018.patch"
FILES:${PN} += "\
${libdir}/gio/modules/libgio*.so \
glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-60018 Upstream-patch: https://gitlab.gnome.org/GNOME/glib-networking/-/commit/4dd540505d40babe488404f3174ec39f49a84485 Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com> --- .../glib-networking/CVE-2025-60018.patch | 83 +++++++++++++++++++ .../glib-networking/glib-networking_2.72.2.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60018.patch