| Message ID | 20260218121438.514114-1-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [kirkstone] glib-2.0: Fix CVE-2026-0988 | expand |
This is already submitted almost 4 weeks ago. https://lists.openembedded.org/g/openembedded-core/message/229927 Since the nut branches are not updated that often nowadays, it's worth looking at the mailing list... Peter > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Vijay Anusuri via > lists.openembedded.org > Sent: Wednesday, February 18, 2026 13:15 > To: openembedded-core@lists.openembedded.org > Cc: Vijay Anusuri <vanusuri@mvista.com> > Subject: [OE-core][kirkstone][PATCH] glib-2.0: Fix CVE-2026-0988 > > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/glib/- > /commit/c5766cff61ffce0b8e787eae09908ac348338e5f > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../glib-2.0/glib-2.0/CVE-2026-0988.patch | 61 +++++++++++++++++++ > meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 + > 2 files changed, 62 insertions(+) > create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > > diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > new file mode 100644 > index 0000000000..1b67b162af > --- /dev/null > +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > @@ -0,0 +1,61 @@ > +From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001 > +From: Philip Withnall <pwithnall@gnome.org> > +Date: Thu, 18 Dec 2025 23:12:18 +0000 > +Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in > + peek() > + > +If the caller provides `offset` and `count` arguments which overflow, > +their sum will overflow and could lead to `memcpy()` reading out more > +memory than expected. > + > +Spotted by Codean Labs. > + > +Signed-off-by: Philip Withnall <pwithnall@gnome.org> > + > +Fixes: #3851 > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/- > /commit/c5766cff61ffce0b8e787eae09908ac348338e5f] > +CVE: CVE-2026-0988 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + gio/gbufferedinputstream.c | 2 +- > + gio/tests/buffered-input-stream.c | 10 ++++++++++ > + 2 files changed, 11 insertions(+), 1 deletion(-) > + > +diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c > +index 9e6bacc62d..56d656be04 100644 > +--- a/gio/gbufferedinputstream.c > ++++ b/gio/gbufferedinputstream.c > +@@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream > *stream, > + > + available = g_buffered_input_stream_get_available (stream); > + > +- if (offset > available) > ++ if (offset > available || offset > G_MAXSIZE - count) > + return 0; > + > + end = MIN (offset + count, available); > +diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c > +index a1af4eefff..2b2a0d9aa9 100644 > +--- a/gio/tests/buffered-input-stream.c > ++++ b/gio/tests/buffered-input-stream.c > +@@ -60,6 +60,16 @@ test_peek (void) > + g_assert_cmpint (npeek, ==, 0); > + g_free (buffer); > + > ++ buffer = g_new0 (char, 64); > ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM > (in), buffer, 8, 0); > ++ g_assert_cmpint (npeek, ==, 0); > ++ g_free (buffer); > ++ > ++ buffer = g_new0 (char, 64); > ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM > (in), buffer, 5, G_MAXSIZE); > ++ g_assert_cmpint (npeek, ==, 0); > ++ g_free (buffer); > ++ > + g_object_unref (in); > + g_object_unref (base); > + } > +-- > +GitLab > + > diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib- > 2.0/glib-2.0_2.72.3.bb > index 50701be3d0..7c0ed01f55 100644 > --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb > +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb > @@ -70,6 +70,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib- > ${PV}.tar.xz \ > file://CVE-2025-14087-02.patch \ > file://CVE-2025-14087-03.patch \ > file://CVE-2025-14512.patch \ > + file://CVE-2026-0988.patch \ > " > SRC_URI:append:class-native = " file://relocate-modules.patch" > > -- > 2.25.1
Hi Peter, Thanks for pointing that out. I missed the earlier submission on the OpenEmbedded Core — sorry about that. I’ll follow-up the thread there. Thanks for the clarification. Yoann, Please ignore this patch. Thanks & Regards, Vijay On Wed, Feb 18, 2026 at 5:48 PM Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > This is already submitted almost 4 weeks ago. > https://lists.openembedded.org/g/openembedded-core/message/229927 > Since the nut branches are not updated that often nowadays, it's worth > looking at the mailing list... > > Peter > > > -----Original Message----- > > From: openembedded-core@lists.openembedded.org <openembedded- > > core@lists.openembedded.org> On Behalf Of Vijay Anusuri via > > lists.openembedded.org > > Sent: Wednesday, February 18, 2026 13:15 > > To: openembedded-core@lists.openembedded.org > > Cc: Vijay Anusuri <vanusuri@mvista.com> > > Subject: [OE-core][kirkstone][PATCH] glib-2.0: Fix CVE-2026-0988 > > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/glib/- > > /commit/c5766cff61ffce0b8e787eae09908ac348338e5f > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../glib-2.0/glib-2.0/CVE-2026-0988.patch | 61 +++++++++++++++++++ > > meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 + > > 2 files changed, 62 insertions(+) > > create mode 100644 > meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > > > > diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > > b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > > new file mode 100644 > > index 0000000000..1b67b162af > > --- /dev/null > > +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch > > @@ -0,0 +1,61 @@ > > +From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001 > > +From: Philip Withnall <pwithnall@gnome.org> > > +Date: Thu, 18 Dec 2025 23:12:18 +0000 > > +Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow > in > > + peek() > > + > > +If the caller provides `offset` and `count` arguments which overflow, > > +their sum will overflow and could lead to `memcpy()` reading out more > > +memory than expected. > > + > > +Spotted by Codean Labs. > > + > > +Signed-off-by: Philip Withnall <pwithnall@gnome.org> > > + > > +Fixes: #3851 > > + > > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/- > > /commit/c5766cff61ffce0b8e787eae09908ac348338e5f] > > +CVE: CVE-2026-0988 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + gio/gbufferedinputstream.c | 2 +- > > + gio/tests/buffered-input-stream.c | 10 ++++++++++ > > + 2 files changed, 11 insertions(+), 1 deletion(-) > > + > > +diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c > > +index 9e6bacc62d..56d656be04 100644 > > +--- a/gio/gbufferedinputstream.c > > ++++ b/gio/gbufferedinputstream.c > > +@@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream > > *stream, > > + > > + available = g_buffered_input_stream_get_available (stream); > > + > > +- if (offset > available) > > ++ if (offset > available || offset > G_MAXSIZE - count) > > + return 0; > > + > > + end = MIN (offset + count, available); > > +diff --git a/gio/tests/buffered-input-stream.c > b/gio/tests/buffered-input-stream.c > > +index a1af4eefff..2b2a0d9aa9 100644 > > +--- a/gio/tests/buffered-input-stream.c > > ++++ b/gio/tests/buffered-input-stream.c > > +@@ -60,6 +60,16 @@ test_peek (void) > > + g_assert_cmpint (npeek, ==, 0); > > + g_free (buffer); > > + > > ++ buffer = g_new0 (char, 64); > > ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM > > (in), buffer, 8, 0); > > ++ g_assert_cmpint (npeek, ==, 0); > > ++ g_free (buffer); > > ++ > > ++ buffer = g_new0 (char, 64); > > ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM > > (in), buffer, 5, G_MAXSIZE); > > ++ g_assert_cmpint (npeek, ==, 0); > > ++ g_free (buffer); > > ++ > > + g_object_unref (in); > > + g_object_unref (base); > > + } > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb > b/meta/recipes-core/glib- > > 2.0/glib-2.0_2.72.3.bb > > index 50701be3d0..7c0ed01f55 100644 > > --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb > > +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb > > @@ -70,6 +70,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib- > > ${PV}.tar.xz \ > > file://CVE-2025-14087-02.patch \ > > file://CVE-2025-14087-03.patch \ > > file://CVE-2025-14512.patch \ > > + file://CVE-2026-0988.patch \ > > " > > SRC_URI:append:class-native = " file://relocate-modules.patch" > > > > -- > > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#231297): > https://lists.openembedded.org/g/openembedded-core/message/231297 > Mute This Topic: https://lists.openembedded.org/mt/117873357/7301997 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > vanusuri@mvista.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch new file mode 100644 index 0000000000..1b67b162af --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch @@ -0,0 +1,61 @@ +From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@gnome.org> +Date: Thu, 18 Dec 2025 23:12:18 +0000 +Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in + peek() + +If the caller provides `offset` and `count` arguments which overflow, +their sum will overflow and could lead to `memcpy()` reading out more +memory than expected. + +Spotted by Codean Labs. + +Signed-off-by: Philip Withnall <pwithnall@gnome.org> + +Fixes: #3851 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f] +CVE: CVE-2026-0988 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + gio/gbufferedinputstream.c | 2 +- + gio/tests/buffered-input-stream.c | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c +index 9e6bacc62d..56d656be04 100644 +--- a/gio/gbufferedinputstream.c ++++ b/gio/gbufferedinputstream.c +@@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream, + + available = g_buffered_input_stream_get_available (stream); + +- if (offset > available) ++ if (offset > available || offset > G_MAXSIZE - count) + return 0; + + end = MIN (offset + count, available); +diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c +index a1af4eefff..2b2a0d9aa9 100644 +--- a/gio/tests/buffered-input-stream.c ++++ b/gio/tests/buffered-input-stream.c +@@ -60,6 +60,16 @@ test_peek (void) + g_assert_cmpint (npeek, ==, 0); + g_free (buffer); + ++ buffer = g_new0 (char, 64); ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0); ++ g_assert_cmpint (npeek, ==, 0); ++ g_free (buffer); ++ ++ buffer = g_new0 (char, 64); ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE); ++ g_assert_cmpint (npeek, ==, 0); ++ g_free (buffer); ++ + g_object_unref (in); + g_object_unref (base); + } +-- +GitLab + diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index 50701be3d0..7c0ed01f55 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb @@ -70,6 +70,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2025-14087-02.patch \ file://CVE-2025-14087-03.patch \ file://CVE-2025-14512.patch \ + file://CVE-2026-0988.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch"