[v3,1/4] glib-networking: backport fix for CVE-2026-2574

Message ID	20260416103100.3152304-1-ross.burton@arm.com
State	New
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: Ross Burton <ross.burton@arm.com> To: openembedded-core@lists.openembedded.org Subject: [PATCH v3 1/4] glib-networking: backport fix for CVE-2026-2574 Date: Thu, 16 Apr 2026 11:30:57 +0100 Message-ID: <20260416103100.3152304-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[v3,1/4] glib-networking: backport fix for CVE-2026-2574 \| expand [v3,1/4] glib-networking: backport fix for CVE-2026-2574 [v3,2/4] libsoup: actually apply patches for CVE-2025-32049 and CVE-2026-1539 [v3,3/4] libsoup: mark CVEs which have been resolved upstream [v3,4/4] python3-requests: backport fix for CVE-2026-25645

Message ID

20260416103100.3152304-1-ross.burton@arm.com

State

New

Headers

From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v3 1/4] glib-networking: backport fix for CVE-2026-2574
Date: Thu, 16 Apr 2026 11:30:57 +0100
Message-ID: <20260416103100.3152304-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[v3,1/4] glib-networking: backport fix for CVE-2026-2574 | expand

Commit Message

Ross Burton April 16, 2026, 10:30 a.m. UTC

CVE-2026-2574:

  Affected versions of this package are vulnerable to Out-of-bounds Read
  via improper handling of certificate authority data in the OpenSSL
  backend. An attacker can cause application crashes and potentially
  disclose limited heap memory by enticing a client to connect to a
  malicious TLS server that advertises a specially crafted client-CA
  list.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 ...of-bounds-read-in-accepted-cas-prope.patch | 48 +++++++++++++++++++
 .../glib-networking/glib-networking_2.80.1.bb |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch

diff --git a/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch
new file mode 100644
index 00000000000..d3673656ad5
--- /dev/null
+++ b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch
@@ -0,0 +1,48 @@ 
+From be2173eb9b769255df9474a9128e642b60894f10 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 12 Mar 2026 12:47:00 -0500
+Subject: [PATCH] openssl: fix out of bounds read in accepted-cas property
+ getter
+
+The d2i and i2d functions are quite dangerous because they advance the
+provided pointer, so we have to pass a temporary pointer if we're later
+going to do anything with the original pointer.
+
+I've audited the codebase and found this is our only such mistake.
+
+Fixes #228 (CVE-2026-2574)
+
+Part-of: <https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/269>
+
+
+(cherry picked from commit c3c84b269165f2a312d47fa15c5cbc7f8ead7631)
+
+Co-authored-by: Michael Catanzaro <mcatanzaro@gnome.org>
+
+CVE: CVE-2026-2574
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlsclientconnection-openssl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
+index e98fb0b..e2ff0d4 100644
+--- a/tls/openssl/gtlsclientconnection-openssl.c
++++ b/tls/openssl/gtlsclientconnection-openssl.c
+@@ -141,9 +141,11 @@ g_tls_client_connection_openssl_get_property (GObject    *object,
+               if (size > 0)
+                 {
+                   unsigned char *ca;
++                  unsigned char *tmp;
+ 
+                   ca = g_malloc (size);
+-                  size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca);
++                  tmp = ca;
++                  size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &tmp);
+                   if (size > 0)
+                     accepted_cas = g_list_prepend (accepted_cas, g_byte_array_new_take (
+                                                    ca, size));
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
index 44e3b0c0b3d..3d47e354e28 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
@@ -32,6 +32,7 @@  inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome
 SRC_URI += "file://0001-openssl-properly-check-return-value-when-writing-to-.patch \
             file://0002-openssl-check-return-value-of-g_tls_bio_alloc.patch \
             file://0003-openssl-check-return-values-of-BIO_new.patch \
+            file://0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch \
             file://run-ptest"
 
 FILES:${PN} += "\

[v3,1/4] glib-networking: backport fix for CVE-2026-2574

Commit Message

Patch