diff mbox series

[scarthgap] glib-2.0: fix CVE-2026-58016

Message ID 20260703-glib-2-0-cve-2026-58016-v1-1-23bfe853642f@bootlin.com
State Awaiting Upstream
Delegated to: Yoann Congal
Headers show
Series [scarthgap] glib-2.0: fix CVE-2026-58016 | expand

Commit Message

Benjamin Robin (Schneider Electric) July 3, 2026, 1:25 p.m. UTC
A flaw was found in GLib. A state confusion issue exists in
g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
processing malformed D-Bus introspection XML, specifically with a <node>
element nested within other elements like <method>, <signal>, <property>
or <arg>. This issue can cause an unsigned integer overflow and lead to an
out-of-bounds read, resulting in a denial of service.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch       | 92 +++++++++++++++++++++
 .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch       | 96 ++++++++++++++++++++++
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |  2 +
 3 files changed, 190 insertions(+)


---
base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d
change-id: 20260703-glib-2-0-cve-2026-58016-63b769c22101

Best regards,
--  
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>

Comments

Yoann Congal July 3, 2026, 1:33 p.m. UTC | #1
On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> A flaw was found in GLib. A state confusion issue exists in
> g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> processing malformed D-Bus introspection XML, specifically with a <node>
> element nested within other elements like <method>, <signal>, <property>
> or <arg>. This issue can cause an unsigned integer overflow and lead to an
> out-of-bounds read, resulting in a denial of service.
>
> Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> ---
>  .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch       | 92 +++++++++++++++++++++
>  .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch       | 96 ++++++++++++++++++++++
>  meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |  2 +

NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
a patch for wrynose so I can accept this on scarthgap?

Thanks!
Benjamin Robin (Schneider Electric) July 3, 2026, 1:46 p.m. UTC | #2
Hello Yoann,

On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> > A flaw was found in GLib. A state confusion issue exists in
> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> > processing malformed D-Bus introspection XML, specifically with a <node>
> > element nested within other elements like <method>, <signal>, <property>
> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
> > out-of-bounds read, resulting in a denial of service.
> >
> > Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> > ---
> >  .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch       | 92 +++++++++++++++++++++
> >  .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch       | 96 ++++++++++++++++++++++
> >  meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |  2 +
> 
> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
> a patch for wrynose so I can accept this on scarthgap?

The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.

I am sending a patch right now.

> 
> Thanks!
>
Yoann Congal July 3, 2026, 1:53 p.m. UTC | #3
On Fri Jul 3, 2026 at 3:46 PM CEST, Benjamin Robin wrote:
> Hello Yoann,
>
> On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
>> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
>> > A flaw was found in GLib. A state confusion issue exists in
>> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
>> > processing malformed D-Bus introspection XML, specifically with a <node>
>> > element nested within other elements like <method>, <signal>, <property>
>> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
>> > out-of-bounds read, resulting in a denial of service.
>> >
>> > Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
>> > ---
>> >  .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch       | 92 +++++++++++++++++++++
>> >  .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch       | 96 ++++++++++++++++++++++
>> >  meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |  2 +
>> 
>> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
>> a patch for wrynose so I can accept this on scarthgap?
>
> The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.

Then,
* NVD is wrong(?). Can you send a modification request so we avoid false
  negatives (those are the worst ones!)
* And, in that case, master is also impacted and need a fix.

Thanks!

> I am sending a patch right now.
>
>> 
>> Thanks!
>>
diff mbox series

Patch

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-1.patch
new file mode 100644
index 000000000000..ee6321361455
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-1.patch
@@ -0,0 +1,92 @@ 
+From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:27:37 +0100
+Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for
+ <node> element nesting
+
+The check for whether a `<node>` element in D-Bus introspection XML was
+nested correctly was broken. `<node>` elements can only be at the top
+level, or nested immediately within another `<node>` element.
+
+Fix the check and add some unit tests for it.
+
+Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test
+uses example XML strings adapted from their report.
+
+Fixes: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c        |  2 +-
+ gio/tests/gdbus-introspection.c | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index c7be334ce2f7..6f722ee6153d 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1272,7 +1272,7 @@ parser_start_element (GMarkupParseContext  *context,
+   /* ---------------------------------------------------------------------------------------------------- */
+   if (strcmp (element_name, "node") == 0)
+     {
+-      if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0))
++      if (stack->next != NULL && strcmp (stack->next->data, "node") != 0)
+         {
+           g_set_error_literal (error,
+                                G_MARKUP_ERROR,
+diff --git a/gio/tests/gdbus-introspection.c b/gio/tests/gdbus-introspection.c
+index 44cb7a96af45..daca313f77e7 100644
+--- a/gio/tests/gdbus-introspection.c
++++ b/gio/tests/gdbus-introspection.c
+@@ -299,6 +299,38 @@ test_extra_data (void)
+   g_dbus_node_info_unref (info);
+ }
+
++static void
++test_invalid (void)
++{
++  const struct
++    {
++      const char *xml;
++      GMarkupError expected_error_code;
++    }
++  vectors[] =
++    {
++      { "", G_MARKUP_ERROR_EMPTY },
++      { "<node><interface name=\"I\"><method name=\"M\"><node><interface name=\"I2\"></interface></node></method>", G_MARKUP_ERROR_INVALID_CONTENT },
++      { "<node><interface name=\"I\"><signal name=\"S\"><node><interface name=\"I2\"><signal name=\"S2\"></signal></interface></node></signal>", G_MARKUP_ERROR_INVALID_CONTENT },
++      { "<node><interface name=\"I\"><property name=\"P\" type=\"s\" access=\"read\"><node><interface name=\"I2\"></interface></node></property>", G_MARKUP_ERROR_INVALID_CONTENT },
++      { "<node><interface name=\"I\"><method name=\"M\"><arg type=\"\"><node><interface name=\"I2\"><method name=\"M2\"></method></interface></node></arg>", G_MARKUP_ERROR_INVALID_CONTENT },
++    };
++
++  for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++)
++    {
++      GDBusNodeInfo *node;
++      GError *local_error = NULL;
++
++      g_test_message ("Testing parsing of %s gives an error", vectors[i].xml);
++
++      node = g_dbus_node_info_new_for_xml (vectors[i].xml, &local_error);
++      g_assert_error (local_error, G_MARKUP_ERROR, (int) vectors[i].expected_error_code);
++      g_assert_null (node);
++
++      g_clear_error (&local_error);
++    }
++}
++
+ /* ---------------------------------------------------------------------------------------------------- */
+
+ int
+@@ -316,6 +348,7 @@ main (int   argc,
+   g_test_add_func ("/gdbus/introspection-generate", test_generate);
+   g_test_add_func ("/gdbus/introspection-default-direction", test_default_direction);
+   g_test_add_func ("/gdbus/introspection-extra-data", test_extra_data);
++  g_test_add_func ("/gdbus/introspection/invalid", test_invalid);
+
+   ret = session_bus_run ();
+
+--
+2.54.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-2.patch
new file mode 100644
index 000000000000..a24e54016177
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-2.patch
@@ -0,0 +1,96 @@ 
+From a75052ceeebea434f271b670766acd5416bc83b9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:08:10 +0100
+Subject: [PATCH 2/2] gdbusintrospection: Add some assertions before array
+ dereferences
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The state handling inside the D-Bus introspection XML parser is
+complicated, and it’s possible that these dereferences of the
+`len - 1`th element might get reached when the array is empty.
+
+Make failures like that more debuggable by adding an assertion on the
+length beforehand.
+
+Helps: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/656ad4582cb1d7a7fa8bafe3ce8aec6aa3c17da0]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index 6f722ee6153d..ed0d291f99f0 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1110,6 +1110,7 @@ parse_data_get_annotation (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->annotations, g_new0 (GDBusAnnotationInfo, 1));
++  g_assert (data->annotations->len > 0);
+   return data->annotations->pdata[data->annotations->len - 1];
+ }
+
+@@ -1119,6 +1120,7 @@ parse_data_get_arg (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->args, g_new0 (GDBusArgInfo, 1));
++  g_assert (data->args->len > 0);
+   return data->args->pdata[data->args->len - 1];
+ }
+
+@@ -1128,6 +1130,7 @@ parse_data_get_out_arg (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->out_args, g_new0 (GDBusArgInfo, 1));
++  g_assert (data->out_args->len > 0);
+   return data->out_args->pdata[data->out_args->len - 1];
+ }
+
+@@ -1137,6 +1140,7 @@ parse_data_get_method (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->methods, g_new0 (GDBusMethodInfo, 1));
++  g_assert (data->methods->len > 0);
+   return data->methods->pdata[data->methods->len - 1];
+ }
+
+@@ -1146,6 +1150,7 @@ parse_data_get_signal (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->signals, g_new0 (GDBusSignalInfo, 1));
++  g_assert (data->signals->len > 0);
+   return data->signals->pdata[data->signals->len - 1];
+ }
+
+@@ -1155,6 +1160,7 @@ parse_data_get_property (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->properties, g_new0 (GDBusPropertyInfo, 1));
++  g_assert (data->properties->len > 0);
+   return data->properties->pdata[data->properties->len - 1];
+ }
+
+@@ -1164,6 +1170,7 @@ parse_data_get_interface (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->interfaces, g_new0 (GDBusInterfaceInfo, 1));
++  g_assert (data->interfaces->len > 0);
+   return data->interfaces->pdata[data->interfaces->len - 1];
+ }
+
+@@ -1173,6 +1180,7 @@ parse_data_get_node (ParseData *data,
+ {
+   if (create_new)
+     g_ptr_array_add (data->nodes, g_new0 (GDBusNodeInfo, 1));
++  g_assert (data->nodes->len > 0);
+   return data->nodes->pdata[data->nodes->len - 1];
+ }
+
+--
+2.54.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index b8212c9d12bd..549584f3d8fa 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -47,6 +47,8 @@  SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://CVE-2026-1489-02.patch \
            file://CVE-2026-1489-03.patch \
            file://CVE-2026-1489-04.patch \
+           file://CVE-2026-58016-1.patch \
+           file://CVE-2026-58016-2.patch \
            "
 SRC_URI:append:class-native = " file://relocate-modules.patch \
                                 file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \