diff mbox series

glib-2.0: Upgrade 2.88.1 -> 2.89.1

Message ID 20260703-glib-2-0-cve-2026-58016-master-v1-1-e16967ddff16@bootlin.com
State New
Headers show
Series glib-2.0: Upgrade 2.88.1 -> 2.89.1 | expand

Commit Message

Benjamin Robin July 3, 2026, 2:34 p.m. UTC
This upgrade fixes CVE-2026-58016

A flaw was found in GLib. A state confusion issue exists in
g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
processing malformed D-Bus introspection XML, specifically with a <node>
element nested within other elements like <method>, <signal>, <property>
or <arg>. This issue can cause an unsigned integer overflow and lead to an
out-of-bounds read, resulting in a denial of service.

The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1
but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2.

[1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../glib-2.0/{glib-2.0-initial_2.88.1.bb => glib-2.0-initial_2.89.1.bb} | 0
 meta/recipes-core/glib-2.0/{glib-2.0_2.88.1.bb => glib-2.0_2.89.1.bb}   | 0
 meta/recipes-core/glib-2.0/glib.inc                                     | 2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)


---
base-commit: 0776ddc4508387f3c1a13f7a1b6e2a6119aea4b2
change-id: 20260703-glib-2-0-cve-2026-58016-master-78b10a0f1823

Best regards,
--  
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
diff mbox series

Patch

diff --git a/meta/recipes-core/glib-2.0/glib-2.0-initial_2.88.1.bb b/meta/recipes-core/glib-2.0/glib-2.0-initial_2.89.1.bb
similarity index 100%
rename from meta/recipes-core/glib-2.0/glib-2.0-initial_2.88.1.bb
rename to meta/recipes-core/glib-2.0/glib-2.0-initial_2.89.1.bb
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.88.1.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.89.1.bb
similarity index 100%
rename from meta/recipes-core/glib-2.0/glib-2.0_2.88.1.bb
rename to meta/recipes-core/glib-2.0/glib-2.0_2.89.1.bb
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index 8d23092187bf..be037046d525 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -238,7 +238,7 @@  SRC_URI:append:class-native = " file://relocate-modules.patch \
                                 file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
                               "
 
-SRC_URI[archive.sha256sum] = "51ab804c56f6eab3e5045c774d1290ac5e4c923d4f9a3d8e33123bee45c1840e"
+SRC_URI[archive.sha256sum] = "74447129c31afe141810f995626e8b99ab677413dae76ee3cf5a9cc6e75a486e"
 
 # Find any meson cross files in FILESPATH that are relevant for the current
 # build (using siteinfo) and add them to EXTRA_OEMESON.