similarity index 100%
rename from meta/recipes-core/glib-2.0/glib-2.0-initial_2.88.1.bb
rename to meta/recipes-core/glib-2.0/glib-2.0-initial_2.89.1.bb
similarity index 100%
rename from meta/recipes-core/glib-2.0/glib-2.0_2.88.1.bb
rename to meta/recipes-core/glib-2.0/glib-2.0_2.89.1.bb
@@ -238,7 +238,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
"
-SRC_URI[archive.sha256sum] = "51ab804c56f6eab3e5045c774d1290ac5e4c923d4f9a3d8e33123bee45c1840e"
+SRC_URI[archive.sha256sum] = "74447129c31afe141810f995626e8b99ab677413dae76ee3cf5a9cc6e75a486e"
# Find any meson cross files in FILESPATH that are relevant for the current
# build (using siteinfo) and add them to EXTRA_OEMESON.
This upgrade fixes CVE-2026-58016 A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service. The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1 but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2 Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> --- .../glib-2.0/{glib-2.0-initial_2.88.1.bb => glib-2.0-initial_2.89.1.bb} | 0 meta/recipes-core/glib-2.0/{glib-2.0_2.88.1.bb => glib-2.0_2.89.1.bb} | 0 meta/recipes-core/glib-2.0/glib.inc | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) --- base-commit: 0776ddc4508387f3c1a13f7a1b6e2a6119aea4b2 change-id: 20260703-glib-2-0-cve-2026-58016-master-78b10a0f1823 Best regards, -- Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>