new file mode 100644
@@ -0,0 +1,69 @@
+From 31f82e22e21bae520b7228f7f57d357fb20df8a4 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:02:56 +0000
+Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
+ (byte)strings
+
+The termination condition for parsing string and bytestring literals in
+GVariant text format input was subject to an integer overflow for input
+string (or bytestring) literals longer than `INT_MAX`.
+
+Fix that by counting as a `size_t` rather than as an `int`. The counter
+can never correctly be negative.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3834
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/31f82e22e21bae520b7228f7f57d357fb20df8a4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 2f1d3db9f..2d6e9856f 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -594,7 +594,7 @@ ast_resolve (AST *ast,
+ {
+ GVariant *value;
+ gchar *pattern;
+- gint i, j = 0;
++ size_t i, j = 0;
+
+ pattern = ast_get_pattern (ast, error);
+
+@@ -1555,9 +1555,9 @@ string_free (AST *ast)
+ * No leading/trailing space allowed. */
+ static gboolean
+ unicode_unescape (const gchar *src,
+- gint *src_ofs,
++ size_t *src_ofs,
+ gchar *dest,
+- gint *dest_ofs,
++ size_t *dest_ofs,
+ gsize length,
+ SourceRef *ref,
+ GError **error)
+@@ -1618,7 +1618,7 @@ string_parse (TokenStream *stream,
+ gsize length;
+ gchar quote;
+ gchar *str;
+- gint i, j;
++ size_t i, j;
+
+ token_stream_start_ref (stream, &ref);
+ token = token_stream_get (stream);
+@@ -1748,7 +1748,7 @@ bytestring_parse (TokenStream *stream,
+ gsize length;
+ gchar quote;
+ gchar *str;
+- gint i, j;
++ size_t i, j;
+
+ token_stream_start_ref (stream, &ref);
+ token = token_stream_get (stream);
new file mode 100644
@@ -0,0 +1,240 @@
+From ac9de0871281cf734f6e269988f90a2521582a08 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:19:16 +0000
+Subject: [PATCH] gvariant-parser: Use size_t to count numbers of child
+ elements
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rather than using `gint`, which could overflow for arrays (or dicts, or
+tuples) longer than `INT_MAX`. There may be other limits which prevent
+parsed containers becoming that long, but we might as well make the type
+system reflect the programmer’s intention as best it can anyway.
+
+For arrays and tuples this is straightforward. For dictionaries, it’s
+slightly complicated by the fact that the code used
+`dict->n_children == -1` to indicate that the `Dictionary` struct in
+question actually represented a single freestanding dict entry. In
+GVariant text format, that would be `{1, "one"}`.
+
+The implementation previously didn’t define the semantics of
+`dict->n_children < -1`.
+
+Now, instead, change `Dictionary.n_children` to `size_t`, and define a
+magic value `DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY` to indicate that
+the `Dictionary` represents a single freestanding dict entry.
+
+This magic value is `SIZE_MAX`, and given that a dictionary entry takes
+more than one byte to represent in GVariant text format, that means it’s
+not possible to have that many entries in a parsed dictionary, so this
+magic value won’t be hit by a normal dictionary. An assertion checks
+this anyway.
+
+Spotted while working on #3834.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ac9de0871281cf734f6e269988f90a2521582a08]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 58 ++++++++++++++++++++++++------------------
+ 1 file changed, 33 insertions(+), 25 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 2d6e9856f..519baa3f3 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -647,9 +647,9 @@ static AST *parse (TokenStream *stream,
+ GError **error);
+
+ static void
+-ast_array_append (AST ***array,
+- gint *n_items,
+- AST *ast)
++ast_array_append (AST ***array,
++ size_t *n_items,
++ AST *ast)
+ {
+ if ((*n_items & (*n_items - 1)) == 0)
+ *array = g_renew (AST *, *array, *n_items ? 2 ** n_items : 1);
+@@ -658,10 +658,10 @@ ast_array_append (AST ***array,
+ }
+
+ static void
+-ast_array_free (AST **array,
+- gint n_items)
++ast_array_free (AST **array,
++ size_t n_items)
+ {
+- gint i;
++ size_t i;
+
+ for (i = 0; i < n_items; i++)
+ ast_free (array[i]);
+@@ -670,11 +670,11 @@ ast_array_free (AST **array,
+
+ static gchar *
+ ast_array_get_pattern (AST **array,
+- gint n_items,
++ size_t n_items,
+ GError **error)
+ {
+ gchar *pattern;
+- gint i;
++ size_t i;
+
+ /* Find the pattern which applies to all children in the array, by l-folding a
+ * coalesce operation.
+@@ -706,7 +706,7 @@ ast_array_get_pattern (AST **array,
+ * pair of values.
+ */
+ {
+- int j = 0;
++ size_t j = 0;
+
+ while (TRUE)
+ {
+@@ -891,7 +891,7 @@ typedef struct
+ AST ast;
+
+ AST **children;
+- gint n_children;
++ size_t n_children;
+ } Array;
+
+ static gchar *
+@@ -924,7 +924,7 @@ array_get_value (AST *ast,
+ Array *array = (Array *) ast;
+ const GVariantType *childtype;
+ GVariantBuilder builder;
+- gint i;
++ size_t i;
+
+ if (!g_variant_type_is_array (type))
+ return ast_type_error (ast, type, error);
+@@ -1010,7 +1010,7 @@ typedef struct
+ AST ast;
+
+ AST **children;
+- gint n_children;
++ size_t n_children;
+ } Tuple;
+
+ static gchar *
+@@ -1020,7 +1020,7 @@ tuple_get_pattern (AST *ast,
+ Tuple *tuple = (Tuple *) ast;
+ gchar *result = NULL;
+ gchar **parts;
+- gint i;
++ size_t i;
+
+ parts = g_new (gchar *, tuple->n_children + 4);
+ parts[tuple->n_children + 1] = (gchar *) ")";
+@@ -1050,7 +1050,7 @@ tuple_get_value (AST *ast,
+ Tuple *tuple = (Tuple *) ast;
+ const GVariantType *childtype;
+ GVariantBuilder builder;
+- gint i;
++ size_t i;
+
+ if (!g_variant_type_is_tuple (type))
+ return ast_type_error (ast, type, error);
+@@ -1242,9 +1242,16 @@ typedef struct
+
+ AST **keys;
+ AST **values;
+- gint n_children;
++
++ /* Iff this is DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY then this struct
++ * represents a single freestanding dict entry (`{1, "one"}`) rather than a
++ * full dict. In the freestanding case, @keys and @values have exactly one
++ * member each. */
++ size_t n_children;
+ } Dictionary;
+
++#define DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY ((size_t) -1)
++
+ static gchar *
+ dictionary_get_pattern (AST *ast,
+ GError **error)
+@@ -1259,7 +1266,7 @@ dictionary_get_pattern (AST *ast,
+ return g_strdup ("Ma{**}");
+
+ key_pattern = ast_array_get_pattern (dict->keys,
+- abs (dict->n_children),
++ (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? 1 : dict->n_children,
+ error);
+
+ if (key_pattern == NULL)
+@@ -1290,7 +1297,7 @@ dictionary_get_pattern (AST *ast,
+ return NULL;
+
+ result = g_strdup_printf ("M%s{%c%s}",
+- dict->n_children > 0 ? "a" : "",
++ (dict->n_children > 0 && dict->n_children != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? "a" : "",
+ key_char, value_pattern);
+ g_free (value_pattern);
+
+@@ -1304,7 +1311,7 @@ dictionary_get_value (AST *ast,
+ {
+ Dictionary *dict = (Dictionary *) ast;
+
+- if (dict->n_children == -1)
++ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
+ {
+ const GVariantType *subtype;
+ GVariantBuilder builder;
+@@ -1337,7 +1344,7 @@ dictionary_get_value (AST *ast,
+ {
+ const GVariantType *entry, *key, *val;
+ GVariantBuilder builder;
+- gint i;
++ size_t i;
+
+ if (!g_variant_type_is_subtype_of (type, G_VARIANT_TYPE_DICTIONARY))
+ return ast_type_error (ast, type, error);
+@@ -1378,12 +1385,12 @@ static void
+ dictionary_free (AST *ast)
+ {
+ Dictionary *dict = (Dictionary *) ast;
+- gint n_children;
++ size_t n_children;
+
+- if (dict->n_children > -1)
+- n_children = dict->n_children;
+- else
++ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
+ n_children = 1;
++ else
++ n_children = dict->n_children;
+
+ ast_array_free (dict->keys, n_children);
+ ast_array_free (dict->values, n_children);
+@@ -1401,7 +1408,7 @@ dictionary_parse (TokenStream *stream,
+ maybe_wrapper, dictionary_get_value,
+ dictionary_free
+ };
+- gint n_keys, n_values;
++ size_t n_keys, n_values;
+ gboolean only_one;
+ Dictionary *dict;
+ AST *first;
+@@ -1444,7 +1451,7 @@ dictionary_parse (TokenStream *stream,
+ goto error;
+
+ g_assert (n_keys == 1 && n_values == 1);
+- dict->n_children = -1;
++ dict->n_children = DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY;
+
+ return (AST *) dict;
+ }
+@@ -1477,6 +1484,7 @@ dictionary_parse (TokenStream *stream,
+ }
+
+ g_assert (n_keys == n_values);
++ g_assert (n_keys != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY);
+ dict->n_children = n_keys;
+
+ return (AST *) dict;
new file mode 100644
@@ -0,0 +1,150 @@
+From acaabfedff42e974334dd5368e6103d2845aaba6 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:25:58 +0000
+Subject: [PATCH] gvariant-parser: Convert error handling code to use size_t
+
+The error handling code allows for printing out the range of input bytes
+related to a parsing error. This was previously done using `gint`, but
+the input could be longer than `INT_MAX`, so it should really be done
+using `size_t`.
+
+Spotted while working on #3834.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/acaabfedff42e974334dd5368e6103d2845aaba6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 519baa3f3..1b1ddd654 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -88,7 +88,9 @@ g_variant_parser_get_error_quark (void)
+
+ typedef struct
+ {
+- gint start, end;
++ /* Offsets from the start of the input, in bytes. Can be equal when referring
++ * to a point rather than a range. The invariant `end >= start` always holds. */
++ size_t start, end;
+ } SourceRef;
+
+ G_GNUC_PRINTF(5, 0)
+@@ -103,14 +105,16 @@ parser_set_error_va (GError **error,
+ GString *msg = g_string_new (NULL);
+
+ if (location->start == location->end)
+- g_string_append_printf (msg, "%d", location->start);
++ g_string_append_printf (msg, "%" G_GSIZE_FORMAT, location->start);
+ else
+- g_string_append_printf (msg, "%d-%d", location->start, location->end);
++ g_string_append_printf (msg, "%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
++ location->start, location->end);
+
+ if (other != NULL)
+ {
+ g_assert (other->start != other->end);
+- g_string_append_printf (msg, ",%d-%d", other->start, other->end);
++ g_string_append_printf (msg, ",%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
++ other->start, other->end);
+ }
+ g_string_append_c (msg, ':');
+
+@@ -137,11 +141,15 @@ parser_set_error (GError **error,
+
+ typedef struct
+ {
++ /* We should always have the following ordering constraint:
++ * start <= this <= stream <= end
++ * Additionally, unless in an error or EOF state, `this < stream`.
++ */
+ const gchar *start;
+ const gchar *stream;
+ const gchar *end;
+
+- const gchar *this;
++ const gchar *this; /* (nullable) */
+ } TokenStream;
+
+
+@@ -172,7 +180,7 @@ token_stream_set_error (TokenStream *stream,
+ static gboolean
+ token_stream_prepare (TokenStream *stream)
+ {
+- gint brackets = 0;
++ gssize brackets = 0;
+ const gchar *end;
+
+ if (stream->this != NULL)
+@@ -402,7 +410,7 @@ static void
+ pattern_copy (gchar **out,
+ const gchar **in)
+ {
+- gint brackets = 0;
++ gssize brackets = 0;
+
+ while (**in == 'a' || **in == 'm' || **in == 'M')
+ *(*out)++ = *(*in)++;
+@@ -2666,7 +2674,7 @@ g_variant_builder_add_parsed (GVariantBuilder *builder,
+ static gboolean
+ parse_num (const gchar *num,
+ const gchar *limit,
+- guint *result)
++ size_t *result)
+ {
+ gchar *endptr;
+ gint64 bignum;
+@@ -2676,10 +2684,12 @@ parse_num (const gchar *num,
+ if (endptr != limit)
+ return FALSE;
+
++ /* The upper bound here is more restrictive than it technically needs to be,
++ * but should be enough for any practical situation: */
+ if (bignum < 0 || bignum > G_MAXINT)
+ return FALSE;
+
+- *result = (guint) bignum;
++ *result = (size_t) bignum;
+
+ return TRUE;
+ }
+@@ -2690,7 +2700,7 @@ add_last_line (GString *err,
+ {
+ const gchar *last_nl;
+ gchar *chomped;
+- gint i;
++ size_t i;
+
+ /* This is an error at the end of input. If we have a file
+ * with newlines, that's probably the empty string after the
+@@ -2835,7 +2845,7 @@ g_variant_parse_error_print_context (GError *error,
+
+ if (dash == NULL || colon < dash)
+ {
+- guint point;
++ size_t point;
+
+ /* we have a single point */
+ if (!parse_num (error->message, colon, &point))
+@@ -2853,7 +2863,7 @@ g_variant_parse_error_print_context (GError *error,
+ /* We have one or two ranges... */
+ if (comma && comma < colon)
+ {
+- guint start1, end1, start2, end2;
++ size_t start1, end1, start2, end2;
+ const gchar *dash2;
+
+ /* Two ranges */
+@@ -2869,7 +2879,7 @@ g_variant_parse_error_print_context (GError *error,
+ }
+ else
+ {
+- guint start, end;
++ size_t start, end;
+
+ /* One range */
+ if (!parse_num (error->message, dash, &start) || !parse_num (dash + 1, colon, &end))
@@ -66,6 +66,9 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-7039-02.patch \
file://CVE-2025-13601-01.patch \
file://CVE-2025-13601-02.patch \
+ file://CVE-2025-14087-01.patch \
+ file://CVE-2025-14087-02.patch \
+ file://CVE-2025-14087-03.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"