new file mode 100644
@@ -0,0 +1,92 @@
+From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:27:37 +0100
+Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for
+ <node> element nesting
+
+The check for whether a `<node>` element in D-Bus introspection XML was
+nested correctly was broken. `<node>` elements can only be at the top
+level, or nested immediately within another `<node>` element.
+
+Fix the check and add some unit tests for it.
+
+Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test
+uses example XML strings adapted from their report.
+
+Fixes: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 2 +-
+ gio/tests/gdbus-introspection.c | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index c7be334ce2f7..6f722ee6153d 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1272,7 +1272,7 @@ parser_start_element (GMarkupParseContext *context,
+ /* ---------------------------------------------------------------------------------------------------- */
+ if (strcmp (element_name, "node") == 0)
+ {
+- if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0))
++ if (stack->next != NULL && strcmp (stack->next->data, "node") != 0)
+ {
+ g_set_error_literal (error,
+ G_MARKUP_ERROR,
+diff --git a/gio/tests/gdbus-introspection.c b/gio/tests/gdbus-introspection.c
+index 44cb7a96af45..daca313f77e7 100644
+--- a/gio/tests/gdbus-introspection.c
++++ b/gio/tests/gdbus-introspection.c
+@@ -299,6 +299,38 @@ test_extra_data (void)
+ g_dbus_node_info_unref (info);
+ }
+
++static void
++test_invalid (void)
++{
++ const struct
++ {
++ const char *xml;
++ GMarkupError expected_error_code;
++ }
++ vectors[] =
++ {
++ { "", G_MARKUP_ERROR_EMPTY },
++ { "<node><interface name=\"I\"><method name=\"M\"><node><interface name=\"I2\"></interface></node></method>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><signal name=\"S\"><node><interface name=\"I2\"><signal name=\"S2\"></signal></interface></node></signal>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><property name=\"P\" type=\"s\" access=\"read\"><node><interface name=\"I2\"></interface></node></property>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><method name=\"M\"><arg type=\"\"><node><interface name=\"I2\"><method name=\"M2\"></method></interface></node></arg>", G_MARKUP_ERROR_INVALID_CONTENT },
++ };
++
++ for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++)
++ {
++ GDBusNodeInfo *node;
++ GError *local_error = NULL;
++
++ g_test_message ("Testing parsing of %s gives an error", vectors[i].xml);
++
++ node = g_dbus_node_info_new_for_xml (vectors[i].xml, &local_error);
++ g_assert_error (local_error, G_MARKUP_ERROR, (int) vectors[i].expected_error_code);
++ g_assert_null (node);
++
++ g_clear_error (&local_error);
++ }
++}
++
+ /* ---------------------------------------------------------------------------------------------------- */
+
+ int
+@@ -316,6 +348,7 @@ main (int argc,
+ g_test_add_func ("/gdbus/introspection-generate", test_generate);
+ g_test_add_func ("/gdbus/introspection-default-direction", test_default_direction);
+ g_test_add_func ("/gdbus/introspection-extra-data", test_extra_data);
++ g_test_add_func ("/gdbus/introspection/invalid", test_invalid);
+
+ ret = session_bus_run ();
+
+--
+2.54.0
new file mode 100644
@@ -0,0 +1,96 @@
+From a75052ceeebea434f271b670766acd5416bc83b9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:08:10 +0100
+Subject: [PATCH 2/2] gdbusintrospection: Add some assertions before array
+ dereferences
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The state handling inside the D-Bus introspection XML parser is
+complicated, and it’s possible that these dereferences of the
+`len - 1`th element might get reached when the array is empty.
+
+Make failures like that more debuggable by adding an assertion on the
+length beforehand.
+
+Helps: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/656ad4582cb1d7a7fa8bafe3ce8aec6aa3c17da0]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index 6f722ee6153d..ed0d291f99f0 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1110,6 +1110,7 @@ parse_data_get_annotation (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->annotations, g_new0 (GDBusAnnotationInfo, 1));
++ g_assert (data->annotations->len > 0);
+ return data->annotations->pdata[data->annotations->len - 1];
+ }
+
+@@ -1119,6 +1120,7 @@ parse_data_get_arg (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->args, g_new0 (GDBusArgInfo, 1));
++ g_assert (data->args->len > 0);
+ return data->args->pdata[data->args->len - 1];
+ }
+
+@@ -1128,6 +1130,7 @@ parse_data_get_out_arg (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->out_args, g_new0 (GDBusArgInfo, 1));
++ g_assert (data->out_args->len > 0);
+ return data->out_args->pdata[data->out_args->len - 1];
+ }
+
+@@ -1137,6 +1140,7 @@ parse_data_get_method (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->methods, g_new0 (GDBusMethodInfo, 1));
++ g_assert (data->methods->len > 0);
+ return data->methods->pdata[data->methods->len - 1];
+ }
+
+@@ -1146,6 +1150,7 @@ parse_data_get_signal (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->signals, g_new0 (GDBusSignalInfo, 1));
++ g_assert (data->signals->len > 0);
+ return data->signals->pdata[data->signals->len - 1];
+ }
+
+@@ -1155,6 +1160,7 @@ parse_data_get_property (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->properties, g_new0 (GDBusPropertyInfo, 1));
++ g_assert (data->properties->len > 0);
+ return data->properties->pdata[data->properties->len - 1];
+ }
+
+@@ -1164,6 +1170,7 @@ parse_data_get_interface (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->interfaces, g_new0 (GDBusInterfaceInfo, 1));
++ g_assert (data->interfaces->len > 0);
+ return data->interfaces->pdata[data->interfaces->len - 1];
+ }
+
+@@ -1173,6 +1180,7 @@ parse_data_get_node (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->nodes, g_new0 (GDBusNodeInfo, 1));
++ g_assert (data->nodes->len > 0);
+ return data->nodes->pdata[data->nodes->len - 1];
+ }
+
+--
+2.54.0
@@ -47,6 +47,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2026-1489-02.patch \
file://CVE-2026-1489-03.patch \
file://CVE-2026-1489-04.patch \
+ file://CVE-2026-58016-1.patch \
+ file://CVE-2026-58016-2.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service. Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> --- .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++ .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 + 3 files changed, 190 insertions(+) --- base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d change-id: 20260703-glib-2-0-cve-2026-58016-63b769c22101 Best regards, -- Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>