new file mode 100644
@@ -0,0 +1,82 @@
+From 330f59dcb39386b3d640ce94fcd3f75e1668ad88 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Mon, 4 Aug 2025 15:10:21 -0500
+Subject: [PATCH 1/3] openssl: properly check return value when writing to BIO
+ objects
+
+In particular, we will read out of bounds, and then write the invalid
+memory, if BIO_write() fails when getting the PROP_CERTIFICATE_PEM
+property. Here we attempt to check the return value, but the check is
+not correct.
+
+This also fixes a leak of the BIO in the same place.
+
+Also add error checking to PROP_SUBJECT_NAME and PROP_ISSUER_NAME, for
+good measure.
+
+Fixes #226
+
+CVE: CVE-2025-60018
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index 648f3e8..b536559 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
++++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -362,15 +362,12 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_CERTIFICATE_PEM:
+ bio = BIO_new (BIO_s_mem ());
+
+- if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1))
+- certificate_pem = NULL;
+- else
++ if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+ {
+ BIO_get_mem_data (bio, &certificate_pem);
+ g_value_set_string (value, certificate_pem);
+-
+- BIO_free_all (bio);
+ }
++ BIO_free_all (bio);
+ break;
+
+ case PROP_PRIVATE_KEY:
+@@ -411,8 +408,12 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_SUBJECT_NAME:
+ bio = BIO_new (BIO_s_mem ());
+ name = X509_get_subject_name (openssl->cert);
+- X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+- BIO_write (bio, "\0", 1);
++ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
++ BIO_write (bio, "\0", 1) != 1)
++ {
++ BIO_free_all (bio);
++ break;
++ }
+ BIO_get_mem_data (bio, (char **)&name_string);
+ g_value_set_string (value, name_string);
+ BIO_free_all (bio);
+@@ -421,9 +422,13 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_ISSUER_NAME:
+ bio = BIO_new (BIO_s_mem ());
+ name = X509_get_issuer_name (openssl->cert);
+- X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+- BIO_write (bio, "\0", 1);
+- BIO_get_mem_data (bio, &name_string);
++ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
++ BIO_write (bio, "\0", 1) != 1)
++ {
++ BIO_free_all (bio);
++ break;
++ }
++ BIO_get_mem_data (bio, (char **)&name_string);
+ g_value_set_string (value, name_string);
+ BIO_free_all (bio);
+ break;
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,42 @@
+From b5a3a8b28b7616403d5454f5f1816c933c34cdac Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 21 Aug 2025 16:58:54 -0500
+Subject: [PATCH 2/3] openssl: check return value of g_tls_bio_alloc()
+
+This function may fail, in which case the parameter remains
+uninitialized. We'd better not dereference it in that case.
+
+CVE: CVE-2025-60019
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlsbio.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tls/openssl/gtlsbio.c b/tls/openssl/gtlsbio.c
+index 0f603fe..1e54943 100644
+--- a/tls/openssl/gtlsbio.c
++++ b/tls/openssl/gtlsbio.c
+@@ -370,7 +370,8 @@ g_tls_bio_new_from_iostream (GIOStream *io_stream)
+ GTlsBio *gbio;
+
+ ret = g_tls_bio_alloc (&gbio);
+- gbio->io_stream = g_object_ref (io_stream);
++ if (ret)
++ gbio->io_stream = g_object_ref (io_stream);
+
+ return ret;
+ }
+@@ -382,7 +383,8 @@ g_tls_bio_new_from_datagram_based (GDatagramBased *socket)
+ GTlsBio *gbio;
+
+ ret = g_tls_bio_alloc (&gbio);
+- gbio->socket = g_object_ref (socket);
++ if (ret)
++ gbio->socket = g_object_ref (socket);
+
+ return ret;
+ }
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,146 @@
+From 9c22e08b41255543bc15017123ed6c64b97b9b7c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 21 Aug 2025 17:21:01 -0500
+Subject: [PATCH 3/3] openssl: check return values of BIO_new()
+
+We probably need to check even more return values of even more OpenSSL
+functions, but these ones allocate memory and that's particularly
+important to get right.
+
+CVE: CVE-2025-60019
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 42 ++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index b536559..4fa5286 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
++++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -166,6 +166,9 @@ export_privkey_to_der (GTlsCertificateOpenssl *openssl,
+ goto err;
+
+ bio = BIO_new (BIO_s_mem ());
++ if (!bio)
++ goto err;
++
+ if (i2d_PKCS8_PRIV_KEY_INFO_bio (bio, pkcs8) == 0)
+ goto err;
+
+@@ -199,6 +202,9 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+ return NULL;
+
+ bio = BIO_new (BIO_s_mem ());
++ if (!bio)
++ goto out;
++
+ ret = PEM_write_bio_PKCS8PrivateKey (bio, openssl->key, NULL, NULL, 0, NULL, NULL);
+ if (ret == 0)
+ goto out;
+@@ -211,7 +217,7 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+ result = g_strdup (data);
+
+ out:
+- BIO_free_all (bio);
++ g_clear_pointer (&bio, BIO_free_all);
+ return result;
+ }
+
+@@ -232,6 +238,9 @@ maybe_import_pkcs12 (GTlsCertificateOpenssl *openssl)
+ return;
+
+ bio = BIO_new (BIO_s_mem ());
++ if (!bio)
++ goto import_failed;
++
+ status = BIO_write (bio, openssl->pkcs12_data->data, openssl->pkcs12_data->len);
+ if (status <= 0)
+ goto import_failed;
+@@ -323,7 +332,7 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ guint8 *data;
+ BIO *bio;
+ GByteArray *byte_array;
+- char *certificate_pem;
++ const char *certificate_pem;
+ long size;
+
+ const ASN1_TIME *time_asn1;
+@@ -362,12 +371,12 @@ g_tls_certificate_openssl_get_property (GObject *object,
+ case PROP_CERTIFICATE_PEM:
+ bio = BIO_new (BIO_s_mem ());
+
+- if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
++ if (bio && PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+ {
+ BIO_get_mem_data (bio, &certificate_pem);
+ g_value_set_string (value, certificate_pem);
+ }
+- BIO_free_all (bio);
++ g_clear_pointer (&bio, BIO_free_all);
+ break;
+
+ case PROP_PRIVATE_KEY:
+@@ -407,6 +416,8 @@ g_tls_certificate_openssl_get_property (GObject *object,
+
+ case PROP_SUBJECT_NAME:
+ bio = BIO_new (BIO_s_mem ());
++ if (!bio)
++ break;
+ name = X509_get_subject_name (openssl->cert);
+ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+ BIO_write (bio, "\0", 1) != 1)
+@@ -421,6 +432,8 @@ g_tls_certificate_openssl_get_property (GObject *object,
+
+ case PROP_ISSUER_NAME:
+ bio = BIO_new (BIO_s_mem ());
++ if (!bio)
++ break;
+ name = X509_get_issuer_name (openssl->cert);
+ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+ BIO_write (bio, "\0", 1) != 1)
+@@ -533,8 +546,11 @@ g_tls_certificate_openssl_set_property (GObject *object,
+ break;
+ CRITICAL_IF_CERTIFICATE_INITIALIZED ("certificate-pem");
+ bio = BIO_new_mem_buf ((gpointer)string, -1);
+- openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
+- BIO_free (bio);
++ if (bio)
++ {
++ openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
++ BIO_free (bio);
++ }
+ if (openssl->cert)
+ openssl->have_cert = TRUE;
+ else if (!openssl->construct_error)
+@@ -554,8 +570,11 @@ g_tls_certificate_openssl_set_property (GObject *object,
+ CRITICAL_IF_KEY_INITIALIZED ("private-key");
+
+ bio = BIO_new_mem_buf (bytes->data, bytes->len);
+- openssl->key = d2i_PrivateKey_bio (bio, NULL);
+- BIO_free (bio);
++ if (bio)
++ {
++ openssl->key = d2i_PrivateKey_bio (bio, NULL);
++ BIO_free (bio);
++ }
+ if (openssl->key)
+ openssl->have_key = TRUE;
+ else if (!openssl->construct_error)
+@@ -575,8 +594,11 @@ g_tls_certificate_openssl_set_property (GObject *object,
+ CRITICAL_IF_KEY_INITIALIZED ("private-key-pem");
+
+ bio = BIO_new_mem_buf ((gpointer)string, -1);
+- openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
+- BIO_free (bio);
++ if (bio)
++ {
++ openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
++ BIO_free (bio);
++ }
+ if (openssl->key)
+ openssl->have_key = TRUE;
+ else if (!openssl->construct_error)
+--
+2.43.0
+
@@ -29,7 +29,10 @@ PACKAGECONFIG[gnomeproxy] = "-Dgnome_proxy=enabled,-Dgnome_proxy=disabled,gsetti
inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome
-SRC_URI += "file://run-ptest"
+SRC_URI += "file://0001-openssl-properly-check-return-value-when-writing-to-.patch \
+ file://0002-openssl-check-return-value-of-g_tls_bio_alloc.patch \
+ file://0003-openssl-check-return-values-of-BIO_new.patch \
+ file://run-ptest"
FILES:${PN} += "\
${libdir}/gio/modules/libgio*.so \
CVE-2025-60018: glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read. CVE-2205-60019: glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location. Signed-off-by: Ross Burton <ross.burton@arm.com> --- ...-check-return-value-when-writing-to-.patch | 82 ++++++++++ ...heck-return-value-of-g_tls_bio_alloc.patch | 42 +++++ ...enssl-check-return-values-of-BIO_new.patch | 146 ++++++++++++++++++ .../glib-networking/glib-networking_2.80.1.bb | 5 +- 4 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/glib-networking/glib-networking/0001-openssl-properly-check-return-value-when-writing-to-.patch create mode 100644 meta/recipes-core/glib-networking/glib-networking/0002-openssl-check-return-value-of-g_tls_bio_alloc.patch create mode 100644 meta/recipes-core/glib-networking/glib-networking/0003-openssl-check-return-values-of-BIO_new.patch