new file mode 100644
@@ -0,0 +1,95 @@
+From 90119b27e94759d942d2e8eb55b13d17237b423d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 28 Apr 2026 15:47:30 +0100
+Subject: [PATCH] gdbusauthmechanismsha1: Validate cookie context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without validation, the server could send a malicious context which
+contains path traversal characters, allowing it to exfiltrate a SHA-1
+hashed copy of arbitrary data from the client’s file system.
+
+To exploit this successfully would require the client to choose to
+connect peer-to-peer to a malicious D-Bus server and to choose the SHA-1
+authentication mechanism in preference to all the other mechanisms. This
+is vanishingly unlikely.
+
+Fixes: #3931
+
+CVE: CVE-2026-58015
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/db9c8fae398b0c457e660ce63dd5afec8993046a]
+
+Backport Changes:
+- Added <stdint.h> include because the target branch does not otherwise
+ expose uint8_t used by the upstream validation code during native builds.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+(cherry picked from commit db9c8fae398b0c457e660ce63dd5afec8993046a)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ gio/gdbusauthmechanismsha1.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/gio/gdbusauthmechanismsha1.c b/gio/gdbusauthmechanismsha1.c
+index c8aa089..7f348d8 100644
+--- a/gio/gdbusauthmechanismsha1.c
++++ b/gio/gdbusauthmechanismsha1.c
+@@ -22,6 +22,7 @@
+
+ #include "config.h"
+
++#include <stdint.h>
+ #include <string.h>
+ #include <fcntl.h>
+ #include <errno.h>
+@@ -1198,6 +1198,34 @@ mechanism_client_initiate (GDBusAuthMechanism *mechanism,
+ return initial_response;
+ }
+
++/* Context names must be valid ASCII, nonzero length, and may not contain the
++ * characters slash ("/"), backslash ("\"), space (" "), newline ("\n"),
++ * carriage return ("\r"), tab ("\t"), or period (".").
++ *
++ * See https://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms-sha */
++static gboolean
++validate_cookie_context (const char *cookie_context)
++{
++ size_t i = 0;
++
++ g_return_val_if_fail (cookie_context != NULL, FALSE);
++
++ for (i = 0; cookie_context[i] != '\0'; i++)
++ {
++ if ((uint8_t) cookie_context[i] >= 128 ||
++ cookie_context[i] == '/' ||
++ cookie_context[i] == '\\' ||
++ cookie_context[i] == ' ' ||
++ cookie_context[i] == '\n' ||
++ cookie_context[i] == '\r' ||
++ cookie_context[i] == '\t' ||
++ cookie_context[i] == '.')
++ return FALSE;
++ }
++
++ return (i > 0);
++}
++
+ static void
+ mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
+ const gchar *data,
+@@ -1232,6 +1260,14 @@ mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
+ }
+
+ cookie_context = tokens[0];
++ if (!validate_cookie_context (tokens[0]))
++ {
++ g_free (m->priv->reject_reason);
++ m->priv->reject_reason = g_strdup_printf ("Malformed cookie_context '%s'", tokens[0]);
++ m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_REJECTED;
++ goto out;
++ }
++
+ cookie_id = g_ascii_strtoll (tokens[1], &endp, 10);
+ if (*endp != '\0')
+ {
@@ -52,6 +52,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2026-58012.patch \
file://CVE-2026-58013.patch \
file://CVE-2026-58014.patch \
+ file://CVE-2026-58015.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \