From patchwork Wed Jul 15 17:21:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92591 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99734C44508 for ; Wed, 15 Jul 2026 17:22:01 +0000 (UTC) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.364.1784136112203994310 for ; Wed, 15 Jul 2026 10:21:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=geRniJOm; spf=pass (domain: cisco.com, ip: 173.37.86.73, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5962; q=dns/txt; s=iport01; t=1784136112; x=1785345712; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=jHkNSgkr0zsSPd6CdATF0oirU3BigwlKllvsFhzBjNs=; b=geRniJOmXQb5SoIC2oJeFUQtHZp08wFbRrR2KDizSStMBi0pxj5ylkqT 5BF01ENeSINOf6wXXCMDi3OEk73bzcm9E1+pwZ6sbKYPfXEf92YMuiLwO fwbeJFD2I9YiII3yeSkCA6py2XsNQ32JAu4zwsOFOIY4riPyS3w3YhgS8 HkfHo7JGCMrOujYYAj+G1AlPI436VaeSx4LpMQnfswphjxN+WXOLRfYf8 ND3DCtlM/NTE/i5t7uOVLz6bZrsg7/z474L2HOjYhEPuY/Bwgd03edvt3 4KJw6ToltrnU+2AmaxQ8o10BXMmzGFyJihR8gWJOiCUUxAwOv8YjpI1N/ Q==; X-CSE-ConnectionGUID: mnn4d6ECSMimtt9h2KLH/Q== X-CSE-MsgGUID: L1pjBApAR82KzhpNMzJ5DA== X-IPAS-Result: A0BFAgD+wFdq/5L/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhnh6Bfg8BAQEPRA0EAQGSWAImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaASkPAXIDAQIDAiYCLSMYAQiDAgGCdAMRvQV6gTKBAYNoAkNQ2y4BBQYUAYEKLoU/gx0BhQJcGAGEfCcbG4FygRWDaYEFgVwBgSiEFIJqBIIigQyBWpAWSIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYEdgVCBAoR2Ix8DOX+BMHVKdy1qEheBUYIUgRgDCxgNSBEsNxQbBD0BbgeNSSWCPwEeXBMBCiEigWMnIpMTkj6hEgoog3WMIZU6GjOEBJQXklELmH2OCpZQhGmBaDyBRwsHcBWDIlMZD44qAwsLhV+DFMkFPDULMgEBBwIHDgMLgWiQAIF+AQE IronPort-Data: A9a23:TyomjaA5Q6rS9BVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApGwj1jBTz jdJWj2FOqyLYGX8edsjPt6xp0wP6JPSmoJlOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jXmthh fuo+5eBYAD8hmYtWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TExvNoUE1oEKYj3+dyHX0f9 aY7DBBKV0XW7w626OrTpuhEnM8vKozveYgYoHwllWCfBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGYxBPjDS0Un1lM/BJ8zhu60hn7XeDxDo1XTrq0yi4TW5FAgjei2aICFI7RmQ+1xx16aj Eve1l6pWDIINMS57Cinr16F07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KFpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:zvfa5qDNMGsazKblHema55DYdb4zR+YMi2TDsHoBLCC9E/bo9f xG88506faZslsssRIb6LO90de7IE80nKQdieJ6AV7IZmbbUQWTQL2KlbGD/xTQXwvj6+Vaya BsN4J6CNH2EBxGqPyS2njdLz7lq+P3lpxBQozlvhBQcT0= X-Talos-CUID: 9a23:IHpIC2xxSWmiLkaXMO0KBgURHMZ5fiPw50z1IkqkFTdpEp6xaRiprfY= X-Talos-MUID: 9a23:lZ3i3wqjBkh2nfdnsUwezxU7LMVCyryHMhBXsocGo++hJw4tFx7I2Q== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="495830281" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by rcdn-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:21:51 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id D557E18000238 for ; Wed, 15 Jul 2026 17:21:50 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id F02F0CC037D; Wed, 15 Jul 2026 22:51:48 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 1/6] glib-2.0: Fix CVE-2026-58010 Date: Wed, 15 Jul 2026 22:51:37 +0530 Message-Id: <20260715172142.1146263-1-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:22:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241020 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58010. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/be85f9429bb66412a9775440a88cb115803ba897 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58010 Signed-off-by: Deepak Rathore --- .../glib-2.0/files/CVE-2026-58010.patch | 113 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58010.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58010.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58010.patch new file mode 100644 index 0000000000..9e56c8892d --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58010.patch @@ -0,0 +1,113 @@ +From b1368983fea922237bc49f2651ed817f18472280 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sun, 29 Mar 2026 19:10:41 +0100 +Subject: [PATCH] gvariant: Fix an off-by-one error in an offset comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows a single byte out-of-bounds read off the end of the +(potentially untrusted) byte array backing a `GVariant` when it’s +being checked for normal form. + +I can’t see how this could practically be exploited, but it’s certainly +a security bug as the `GVariant` normal form checking code is supposed +to be robust to malicious inputs. + +Spotted by linhlhq as #YWH-PGM9867-190, and fix and reproducer provided +by them too, thanks. Confirmed and turned into a unit test by me. + +Fixes: #3915 + +CVE: CVE-2026-58010 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/be85f9429bb66412a9775440a88cb115803ba897] + +Signed-off-by: Philip Withnall +(cherry picked from commit be85f9429bb66412a9775440a88cb115803ba897) +Signed-off-by: Deepak Rathore +--- + glib/gvariant-serialiser.c | 2 +- + glib/tests/gvariant.c | 48 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+), 1 deletion(-) + +diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +index 1a050c40b..73f78a072 100644 +--- a/glib/gvariant-serialiser.c ++++ b/glib/gvariant-serialiser.c +@@ -1250,7 +1250,7 @@ gvs_tuple_is_normal (GVariantSerialised value) + + while (offset & alignment) + { +- if (offset > value.size || value.data[offset] != '\0') ++ if (offset >= value.size || value.data[offset] != '\0') + return FALSE; + offset++; + } +diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c +index c1d66e824..04925ae41 100644 +--- a/glib/tests/gvariant.c ++++ b/glib/tests/gvariant.c +@@ -5779,6 +5779,52 @@ test_normal_checking_tuple_offsets5 (void) + g_variant_unref (variant); + } + ++/* This is a regression test that looping over the padding bytes in a short ++ * (non-normal) tuple doesn’t overflow the input data. ++ * ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/3915 */ ++static void ++test_normal_checking_tuple_offsets6 (void) ++{ ++ /* ++ * Type: (ynqiuxthdsog) — 12 members, first member 'y' (byte) has ++ * alignment 0, second 'n' (int16) has alignment 1. ++ * With 1 byte of data (0x28), after reading the first byte member, ++ * offset=1, alignment check for 'n' requires offset to be even, ++ * so the while loop checks value.data[1] — but size is only 1. ++ * ++ * Use heap allocation via GBytes so ASan reports heap-buffer-overflow. ++ */ ++ uint8_t *heap_data = NULL; ++ GBytes *bytes = NULL; ++ const GVariantType *data_type = G_VARIANT_TYPE ("(ynqiuxthdsog)"); ++ GVariant *variant = NULL; ++ GVariant *normal_variant = NULL; ++ GVariant *expected = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/3915"); ++ ++ heap_data = g_malloc (1); ++ heap_data[0] = 0x28; ++ bytes = g_bytes_new_take (heap_data, 1); ++ ++ variant = g_variant_new_from_bytes (data_type, bytes, FALSE); ++ g_assert_nonnull (variant); ++ ++ g_assert_false (g_variant_is_normal_form (variant)); ++ ++ normal_variant = g_variant_get_normal_form (variant); ++ g_assert_nonnull (normal_variant); ++ ++ expected = g_variant_new_parsed ("(byte 0x28, int16 0, uint16 0, 0, uint32 0, int64 0, uint64 0, handle 0, 0.0, '', objectpath '/', signature '')"); ++ g_assert_cmpvariant (expected, variant); ++ g_assert_cmpvariant (expected, normal_variant); ++ ++ g_variant_unref (expected); ++ g_variant_unref (normal_variant); ++ g_variant_unref (variant); ++} ++ + /* Test that an otherwise-valid serialised GVariant is considered non-normal if + * its offset table entries are too wide. + * +@@ -6057,6 +6103,8 @@ main (int argc, char **argv) + test_normal_checking_tuple_offsets4); + g_test_add_func ("/gvariant/normal-checking/tuple-offsets5", + test_normal_checking_tuple_offsets5); ++ g_test_add_func ("/gvariant/normal-checking/tuple-offsets6", ++ test_normal_checking_tuple_offsets6); + g_test_add_func ("/gvariant/normal-checking/tuple-offsets/minimal-sized", + test_normal_checking_tuple_offsets_minimal_sized); + g_test_add_func ("/gvariant/normal-checking/empty-object-path", +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index dee94ec060..36c837dc79 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -233,6 +233,7 @@ SRC_URI += "\ file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \ file://0010-Do-not-hardcode-python-path-into-various-tools.patch \ file://skip-timeout.patch \ + file://CVE-2026-58010.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:21:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92593 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A068C44501 for ; Wed, 15 Jul 2026 17:22:11 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.394.1784136121418463913 for ; Wed, 15 Jul 2026 10:22:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=XaSyrShs; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4222; q=dns/txt; s=iport01; t=1784136121; x=1785345721; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=O4Awg/bbx3qhjSb8cfk2Nv88A0jqvqgIS+e0DKndBpM=; b=XaSyrShsDdFf7A+ukzdiRaiUBLPlF3Wpnady4bHiYCH2jb5qNGV6LsEf l8ww4pxfkqAPWeQhaZRpQHac+WWa1+pEaUr+QCDgPj7p9sCaNCVl+XOre 7f42ZDfqiQm9RAVhBBD9oCx06mItojNoHnsgPeqp4ndPtB5mc4dasdprx bM9VDvUIBmkypByIolZ6MD3vWuDDQ00BlAz0N7J2HtilyLAPXI9RfUMtb r2HSHGCi/+bbZRd3GbWC4RqogipfIM7bm95JCmwxA8ZQKnJUJ+cldq0x6 PP3mBAyNY6R0nD6tChEV3IzC8Dq0ckAn8Hdl0RB9R8zeGfT03OP3nAzXC Q==; X-CSE-ConnectionGUID: uF3FuWi5Tr2IRBZR/osg7w== X-CSE-MsgGUID: EOeYuCQPRk2v9Qo4SRPKJw== X-IPAS-Result: A0BLAgCFwFdq/5X/Ja1aglmCV3RfQkmEV49SgiEDgROdCIF+DwEBAQ9EDQQBAYUFAo1RAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDIwQLAVYcAwECAwImAgIrIwgQAQiDAgGCdAMRvR16fzOBAYNoAkNQ2y4BBQYUAYEKLoU/gx0BhQJcGAGEfCcbG4FygRWCc3aBBYFcAYEohBSCagSCIoEMgVqQFkiBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFQgQKEdiMfAzl/gTB1SnctahIXgVGCFIEYAwsYDUgRLDcUGwQ9AW4HjUklgjgHgQ4BKxeCOaVPoRIKKIN1jCGVOhozqmwLmH2OCpVzXYRpgWg8gUcLB3AVgyJTGQ+OLQsLhV+DFMkvPDULMgEBBwIHDgMLgWiQAAImB4FPAQE IronPort-Data: A9a23:ld951avDLFIzB0AnMh0Jo9yt5efnVAdfMUV32f8akzHdYApBsoF/q tZmKT/Va/yOZzPxeYt3YYyw9U0Gu5LSyYRgS1RvrX9nQXgUgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZTdJ5xYuajhKs/3a9Us21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw58gsL3xx9 KEkMmosVDqxvaWx273kVbw57igjBJGD0II3oHpsy3TdSP0hW52GGv+M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtGYH49tL/Aan3XfzBVsluJpa0f6GnIxws327/oWDbQUoHTHZ0KwB3C9 woq+UzUJRwrKfem8QCGqGz9v+iTphnDe6ANQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dUL FYZ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2cbLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWra1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:ptnMgqvkmtdqKRymRwE+AHcI7skDVNV00zEX/kB9WHVpm6uj5q eTdZUgpHvJYVkqNk3I9ersBEDEewK+yXcX2/h1AV7dZmjbUQKTRekIh7cKgQeQeREWndQz6U 4PScRD4aXLbWRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaDZ2JK2xCe36m+oocfng+OaYE X-Talos-CUID: 9a23:CNjbrml0+IfbgTo05oNST7PYnhXXOWDzl1nNHE7lNXwzaYe/e2XX/7hrzNU7zg== X-Talos-MUID: 9a23:0gWvZAjldU+tvFApScNW6cMpGeBl0rmFMXg3ks8Y6vCDaRdKAxS/k2Hi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510076329" Received: from rcdn-l-core-12.cisco.com ([173.37.255.149]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:22:00 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-12.cisco.com (Postfix) with ESMTPS id 3FC7E180001F7 for ; Wed, 15 Jul 2026 17:22:00 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 5FA4ECC037D; Wed, 15 Jul 2026 22:51:58 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 2/6] glib-2.0: Fix CVE-2026-58011 Date: Wed, 15 Jul 2026 22:51:38 +0530 Message-Id: <20260715172142.1146263-2-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172142.1146263-1-deeratho@cisco.com> References: <20260715172142.1146263-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-12.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:22:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241021 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58011. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/5627b376381f7bfe98f4c64bc2d9d363457ddb82 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58011 Signed-off-by: Deepak Rathore --- .../glib-2.0/files/CVE-2026-58011.patch | 78 +++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58011.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58011.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58011.patch new file mode 100644 index 0000000000..e90891bffe --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58011.patch @@ -0,0 +1,78 @@ +From 456bd48b32bfc79ebb69a5dcc8d86b0ce99f71d6 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sun, 29 Mar 2026 23:46:17 +0100 +Subject: [PATCH] gdatetime: Add missing range validation to + g_date_time_add_full() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise it’s possible to create a non-`NULL` but invalid `GDateTime`, +which breaks all kinds of internal assumptions. + +Spotted by linhlhq as #YWH-PGM9867-191. Thanks to them for providing a +suggested fix and a test case, which I have adapted and validated. + +Fixes: #3917 + +CVE: CVE-2026-58011 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/5627b376381f7bfe98f4c64bc2d9d363457ddb82] + +Backport Changes: +- Used the target branch's existing literal day bounds because it does + not have upstream's MIN_DAYS/MAX_DAYS helper macros. + +Signed-off-by: Philip Withnall +(cherry picked from commit 5627b376381f7bfe98f4c64bc2d9d363457ddb82) +Signed-off-by: Deepak Rathore +--- + glib/gdatetime.c | 4 +++- + glib/tests/gdatetime.c | 18 ++++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index 8d67354cf..cca2cdae3 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -2076,7 +2076,9 @@ g_date_time_add_full (GDateTime *datetime, + new->days = full_time / USEC_PER_DAY; + new->usec = full_time % USEC_PER_DAY; + +- /* XXX validate */ ++ /* Validate it’s still in the range 0001-01-01 to 9999-12-31 */ ++ if (new->days < 1 || new->days > 3652059) ++ g_clear_pointer (&new, g_date_time_unref); + + return new; + } +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 08e4075e9..d003a5445 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -1146,6 +1146,24 @@ test_GDateTime_add_full (void) + TEST_ADD_FULL (2010, 8, 25, 22, 45, 0, + 0, 1, 6, 1, 25, 0, + 2010, 10, 2, 0, 10, 0); ++ ++#define TEST_ADD_FULL_ERROR(y,m,d,h,mi,s,ay,am,ad,ah,ami,as) G_STMT_START { \ ++ GDateTime *dt; \ ++ dt = g_date_time_new_utc (y, m, d, h, mi, s); \ ++ g_assert_null (g_date_time_add_full (dt, ay, am, ad, ah, ami, as)); \ ++ g_date_time_unref (dt); \ ++} G_STMT_END ++ ++ TEST_ADD_FULL_ERROR ( 1, 12, 1, 0, 0, 0, ++ -1, 0, 0, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 1, 12, 1, 0, 0, 0, ++ 10000, 0, 0, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 9999, 12, 1, 0, 0, 0, ++ -10000, 0, 0, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 1, 12, 1, 0, 0, 0, ++ 0, 0, 3660001, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 9999, 12, 1, 0, 0, 0, ++ 0, 0, -3660001, 0, 0, 0); + } + + static void +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 36c837dc79..c961dbf660 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -234,6 +234,7 @@ SRC_URI += "\ file://0010-Do-not-hardcode-python-path-into-various-tools.patch \ file://skip-timeout.patch \ file://CVE-2026-58010.patch \ + file://CVE-2026-58011.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:21:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92592 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B333C4450E for ; Wed, 15 Jul 2026 17:22:11 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.373.1784136129372618327 for ; Wed, 15 Jul 2026 10:22:09 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=NUd9NR76; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=9556; q=dns/txt; s=iport01; t=1784136129; x=1785345729; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=LbNSY/3foQvgK3kS7yMJCC9GYUsI1esYG0ZYuG5DRUQ=; b=NUd9NR76HlDR5oJ233kvQcGLExd6pd1P+8W1cR0umiDTYLfbyLOJ9qr4 Gs+NyE9JtS/c6nZXn1yQjEBZ3kXZdbp5Bxyt+7YQEzWXd3RY4kbh/pZ6X fMvWqy8/Sd1I4n7s2tYkYjMBnR+5IvyG8XiKlxbQ6agCekBlbhSu+dz06 /Yra7eJhXZWiW2jeIjidCmThyXqicAGfUGdG2WVm8dsKIAoDbFY/kBYZo V0RS6jGmHddTp2f5KcOE0LFnM+bGbsMy+Ww6VkXjeG0hVy4LhkZgV8qJn TPIsf6fj9G1li/Q9k/hoPyRQt7DIqcE1HpFLmPQw0CihOz5IsVVoMiZKa w==; X-CSE-ConnectionGUID: YQ5NaR6iQUKMZEOV1Gmwfw== X-CSE-MsgGUID: +fTRmwSVSMGDhNfhad6WBg== X-IPAS-Result: A0BJAgD+wFdq/4z/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA54bgX4PAQEBD0QNBAEBhQUCjVECJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMjBAsBVhwDAQIDAiYCAisjCBEIgwIBgnQDEb0Fen8zgQGDaAJDUNsuAQUGFAGBCi6FP4MdAYUCXBgBhHwnGxuBcoEVg2mBBYFcAYU8gmoEgiKBDIFagiSNckiBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFQgQKEdiMfAzl/gTB1SnctahIXgVGCFIEYAwsYDUgRLDcUGwQ9AW4HjUklgjgGAYEECgErIn6BLpMTAQmSNKESCiiDdYwhlToaM4QElBeSUQuYfY4Klg5ChGmBaDyBRAMLB3AVO4JnUxkPjioDCwuFX4MUyQU8NQsyAQEHAgcOAwuBaJF+AQE IronPort-Data: A9a23:J4/A/64z8KZlZZyaVfBEZgxRtGnGchMFZxGqfqrLsTDasY5as4F+v mMdUDyDM/yKYzOmLoh2bty+8U4B7JWAy4UwS1E/+3o3Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo/qUzBHf/g2Qqaj1NtvrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eDLRF3O9NX2B3y N89Gh0qUEmsgv243+fuIgVsrpxLwMjDJogTvDRkiDreF/tjGcuFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkEXUrsUIMpWcOOAinTyaTREqFW9rqss6G+Vxwt0uFToGIeNK4DSHZ0IxC50o EqF8VjDBw4hCue65haF1Hysj+ORogn0Ddd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBfCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u78Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:O+VzcatbhcIZScW5+qi1LiKn7skDVNV00zEX/kB9WHVpm6uj5q eTdZUgpHvJYVkqNk3I9ersBEDEewK+yXcX2/h1AV7dZmjbUQKTRekIh7cKgQeQeREWndQz6U 4PScRD4aXLbWRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaDZ2JK2xCe36m+oocfng+OaYE X-Talos-CUID: 9a23:te0H9GrdE+9pJK3s0PELAvTmUfEcL1vU9inRGnKbLFREb4PMZlqP9rwxxg== X-Talos-MUID: 9a23:psiyNwgvpZRVnharvr9ilMMpd8lU2aGxM342tLoqu++KNSV8ZQi3g2Hi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="509400052" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:22:08 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 179B0180001C0 for ; Wed, 15 Jul 2026 17:22:08 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 39B86CC037D; Wed, 15 Jul 2026 22:52:06 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 3/6] glib-2.0: Fix CVE-2026-58012 Date: Wed, 15 Jul 2026 22:51:39 +0530 Message-Id: <20260715172142.1146263-3-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172142.1146263-1-deeratho@cisco.com> References: <20260715172142.1146263-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:22:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241022 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58012. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/e680a53224e23cc8037dcf54761d6dad0f3396f9 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58012 Signed-off-by: Deepak Rathore --- .../glib-2.0/files/CVE-2026-58012.patch | 228 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 1 + 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58012.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58012.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58012.patch new file mode 100644 index 0000000000..b76098a9a5 --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58012.patch @@ -0,0 +1,228 @@ +From ad9d1b063a6e46d5541e40198725d21f0804de9f Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 31 Mar 2026 16:13:57 +0100 +Subject: [PATCH] gregex: Fix case changing substitutions with G_REGEX_RAW + +In `G_REGEX_RAW` mode, the input string is treated as a byte array +(basically ASCII) rather than a unichar array. Accordingly, the case +changing code for substitutions needs to operate on bytes with +`G_REGEX_RAW`, rather than operating on unichars. + +This fixes a potential buffer overflow when trying to do a case change +on a match of a set of bytes which are a truncated multi-byte UTF-8 +encoding at the end of the input buffer. + +Spotted by linhlhq as #YWH-PGM9867-193. I adapted their reproducer as +the unit test, but implemented the fix in `gregex.c` independently. + +Fixes: #3918 + +CVE: CVE-2026-58012 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/e680a53224e23cc8037dcf54761d6dad0f3396f9] + +Signed-off-by: Philip Withnall +(cherry picked from commit e680a53224e23cc8037dcf54761d6dad0f3396f9) +Signed-off-by: Deepak Rathore +--- + glib/gregex.c | 59 ++++++++++++++++++++++++++++++++++------------ + glib/tests/regex.c | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 97 insertions(+), 15 deletions(-) + +diff --git a/glib/gregex.c b/glib/gregex.c +index 52d09f1e4..c26171415 100644 +--- a/glib/gregex.c ++++ b/glib/gregex.c +@@ -3422,19 +3422,25 @@ split_replacement (const gchar *replacement, + return g_list_reverse (list); + } + +-/* Change the case of c based on change_case. */ +-#define CHANGE_CASE(c, change_case) \ ++/* Change the case of c based on change_case. ++ * g_ascii_to*() will happily pass through non-ASCII bytes unchanged. */ ++#define UTF8_CHANGE_CASE(c, change_case) \ + (((change_case) & CHANGE_CASE_LOWER_MASK) ? \ + g_unichar_tolower (c) : \ + g_unichar_toupper (c)) ++#define RAW_CHANGE_CASE(c, change_case) \ ++ (((change_case) & CHANGE_CASE_LOWER_MASK) ? \ ++ g_ascii_tolower (c) : \ ++ g_ascii_toupper (c)) + ++/* If @text_is_raw is set, @text might not be valid UTF-8 (but will be ++ * nul-terminated). */ + static void + string_append (GString *string, + const gchar *text, ++ gboolean text_is_raw, + ChangeCase *change_case) + { +- gunichar c; +- + if (text[0] == '\0') + return; + +@@ -3444,22 +3450,44 @@ string_append (GString *string, + } + else if (*change_case & CHANGE_CASE_SINGLE_MASK) + { +- c = g_utf8_get_char (text); +- g_string_append_unichar (string, CHANGE_CASE (c, *change_case)); +- g_string_append (string, g_utf8_next_char (text)); ++ if (!text_is_raw) ++ { ++ gunichar c = g_utf8_get_char (text); ++ g_string_append_unichar (string, UTF8_CHANGE_CASE (c, *change_case)); ++ g_string_append (string, g_utf8_next_char (text)); ++ } ++ else ++ { ++ g_string_append_c (string, RAW_CHANGE_CASE (text[0], *change_case)); ++ g_string_append (string, text + 1); ++ } ++ + *change_case = CHANGE_CASE_NONE; + } + else + { +- while (*text != '\0') ++ if (!text_is_raw) + { +- c = g_utf8_get_char (text); +- g_string_append_unichar (string, CHANGE_CASE (c, *change_case)); +- text = g_utf8_next_char (text); ++ while (*text != '\0') ++ { ++ gunichar c = g_utf8_get_char (text); ++ g_string_append_unichar (string, UTF8_CHANGE_CASE (c, *change_case)); ++ text = g_utf8_next_char (text); ++ } ++ } ++ else ++ { ++ while (*text != '\0') ++ { ++ char c = *text; ++ g_string_append_c (string, RAW_CHANGE_CASE (c, *change_case)); ++ text++; ++ } + } + } + } + ++/* @match_info is (nullable) */ + static gboolean + interpolate_replacement (const GMatchInfo *match_info, + GString *result, +@@ -3469,6 +3497,7 @@ interpolate_replacement (const GMatchInfo *match_info, + InterpolationData *idata; + gchar *match; + ChangeCase change_case = CHANGE_CASE_NONE; ++ gboolean is_raw = (match_info != NULL && (match_info->regex->orig_compile_opts & G_REGEX_RAW)); + + for (list = data; list; list = list->next) + { +@@ -3476,10 +3505,10 @@ interpolate_replacement (const GMatchInfo *match_info, + switch (idata->type) + { + case REPL_TYPE_STRING: +- string_append (result, idata->text, &change_case); ++ string_append (result, idata->text, is_raw, &change_case); + break; + case REPL_TYPE_CHARACTER: +- g_string_append_c (result, CHANGE_CASE (idata->c, change_case)); ++ g_string_append_c (result, UTF8_CHANGE_CASE (idata->c, change_case)); + if (change_case & CHANGE_CASE_SINGLE_MASK) + change_case = CHANGE_CASE_NONE; + break; +@@ -3487,7 +3516,7 @@ interpolate_replacement (const GMatchInfo *match_info, + match = g_match_info_fetch (match_info, idata->num); + if (match) + { +- string_append (result, match, &change_case); ++ string_append (result, match, is_raw, &change_case); + g_free (match); + } + break; +@@ -3495,7 +3524,7 @@ interpolate_replacement (const GMatchInfo *match_info, + match = g_match_info_fetch_named (match_info, idata->text); + if (match) + { +- string_append (result, match, &change_case); ++ string_append (result, match, is_raw, &change_case); + g_free (match); + } + break; +diff --git a/glib/tests/regex.c b/glib/tests/regex.c +index a774683f7..ed1585141 100644 +--- a/glib/tests/regex.c ++++ b/glib/tests/regex.c +@@ -2531,6 +2531,58 @@ test_compiled_regex_after_jit_failure (void) + g_regex_unref (regex); + } + ++static void ++test_replace_raw_change_case (void) ++{ ++ GError *local_error = NULL; ++ GRegex *regex = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/3918"); ++ g_test_summary ("Test that case changes as part of a replacement are handled correctly in G_REGEX_RAW mode"); ++ ++ /* ++ * Match a multi-byte sequence in RAW mode. The pattern matches ++ * exactly 2 bytes. The subject contains a 4-byte UTF-8 lead (0xF4) ++ * followed by only one continuation byte, then NUL. ++ * ++ * The matched substring will be "\xf4\x80" (2 bytes, heap-allocated ++ * as 3-byte buffer with NUL). If the code regresses and tries to handle ++ * the replacement as UTF-8 then g_utf8_get_char() would see 0xF4 and try ++ * to read 4 bytes, going 1 byte past the NUL into OOB territory. ++ */ ++ regex = g_regex_new ("..", G_REGEX_RAW, 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* ++ * Build a subject string with truncated UTF-8. ++ * \xF4 = 4-byte UTF-8 lead byte ++ * \x80 = continuation byte ++ * No 3rd/4th continuation bytes — the match is only 2 bytes. ++ * ++ * \U\0 = uppercase the entire match → triggers string_append() ++ * with case change on the 2-byte non-UTF-8 match. ++ */ ++ char subject[] = "\xf4\x80"; ++ char *result = g_regex_replace (regex, subject, -1, 0, "\\U\\0", 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_pointer (&result, g_free); ++ g_clear_pointer (®ex, g_regex_unref); ++ ++ /* ++ * Second variant: single-char case change \u with \0 backreference. ++ */ ++ regex = g_regex_new (".", G_REGEX_RAW, 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ char subject2[] = "\xe6\xb0"; /* 3-byte UTF-8 lead, only 2 bytes */ ++ result = g_regex_replace (regex, subject2, -1, 0, "\\u\\0", 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_pointer (&result, g_free); ++ g_clear_pointer (®ex, g_regex_unref); ++} ++ + int + main (int argc, char *argv[]) + { +@@ -2552,6 +2604,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/regex/jit-unsupported-matching", test_jit_unsupported_matching_options); + g_test_add_func ("/regex/unmatched-named-subpattern", test_unmatched_named_subpattern); + g_test_add_func ("/regex/compiled-regex-after-jit-failure", test_compiled_regex_after_jit_failure); ++ g_test_add_func ("/regex/replace-raw-change-case", test_replace_raw_change_case); + + /* TEST_NEW(pattern, compile_opts, match_opts) */ + TEST_NEW("[A-Z]+", G_REGEX_CASELESS | G_REGEX_EXTENDED | G_REGEX_OPTIMIZE, G_REGEX_MATCH_NOTBOL | G_REGEX_MATCH_PARTIAL); +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index c961dbf660..767f63d6d9 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -235,6 +235,7 @@ SRC_URI += "\ file://skip-timeout.patch \ file://CVE-2026-58010.patch \ file://CVE-2026-58011.patch \ + file://CVE-2026-58012.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:21:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92595 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78D16C44501 for ; Wed, 15 Jul 2026 17:22:21 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.375.1784136136323958637 for ; Wed, 15 Jul 2026 10:22:16 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=FNl0RBx9; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=6510; q=dns/txt; s=iport01; t=1784136136; x=1785345736; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=PAhg+1RYDuo4h/fvEzprJVABQ5l73yTTOWJIDpAGhbo=; b=FNl0RBx9rJXCLrPFmlYKYksQZhf7RTWGqjcbAFx3grGTVQcT1A3kSW8m klU4x2fQ7QQUJFeI0IxsdmUi9GO0+hOT7/etrefZWXSx4kwCMDDZzBzFV gH81a/9AaKZfzNxqY0ZBrAs3crh8iGEwVZg9me0KhunaIxU0PbxRiwBLu rlfaIfIp8wB+oNWTgiXykw3XeH3ujr1Yh+utP99r8okRxtuW11r2N+HKd 2WNKp2DUDB7Jz9IKGztkftoERyJ2yN6XlVV18bBFZ+10s6i4cL/yIXgmh 07xpKzD7ul4ZFneZ1Zgf6VSav58RJUIocXMA1wd8yJQ7hJ+Zbhy4881MM A==; X-CSE-ConnectionGUID: DLzFh7uDRVuHkF5p5MM4Iw== X-CSE-MsgGUID: dUKk6tVXSbOQxX5f2fLAAA== X-IPAS-Result: A0BKAgD+wFdq/4v/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA4ETnQiBfg8BAQEPRA0EAQGFBQKNUQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwFWHAMBAgMCJgICKyMIEAEIgwIBgnQDEb0Fen8zgQGDaAJDUNsuAQUGFAGBCi6FP4MdAYUCXBgBhHwnGxuBcoEVgnN2gQWBXAGBKBuDeYJqBIIigQyBWpAWSIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYEdgVCBAoR2Ix8DOX+BMHVKdy1qEheBUYIUgRgDCxgNSBEsNxQbBD0BbgeNSSWCPz1RASuCUCqlJaESCiiDdYwhlToaM4QElBeSUQuYfY4KllCEaYFoPIFHCwdwFYMiUxkPjioDCwuFX4MUyQU8NQsyAQEHAgcOAwuBaJAAAiYEA4FPAQE IronPort-Data: A9a23:4y8rla5sPjV0DUPoKBhfLAxRtGnGchMFZxGqfqrLsTDasY5as4F+v mZOXWHTOq6DZTemLdt3aIWw9kIC7JTQx4JkHgQ/q3wwZn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo/qUzBHf/g2Qqaj1NtvrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eEakK1OYoHE10y +E4Kx5Qdk2mor6X3+fuIgVsrpxLwMjDJogTvDRkiDreF/tjGcqFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkYeUrsUIMpWcOOAinTyaTREqFW9rqss6G+Vxwt0uFToGIeNI4PbH50Kwy50o ErKwkf6XA0kBOeV7gOVwi+i3OHrtArSDdd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBeCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u78Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:/zzz76FCGnbXp7g8pLqEyseALOsnbusQ8zAXPidKOHtom62j5q STdZsguyMc5Ax9ZJhko6HiBEDiewK4yXcK2+gs1N6ZNWGM0ldAbrsSj7cKqAeOJ8SRzIJgPN 9bE5RWOZnXEUVwi9r87U2TFtYtx8TCzYWT7N2uqUuEiWpRGtldB8ATMHfjLnFL X-Talos-CUID: 9a23:xFlduWu8w60Ll1++4AHMeIGJ6IsJVm/zzCjND3WGFEZqZuCNFHq1pIJ7xp8= X-Talos-MUID: 9a23:ktm4cAlv38aJ+uYlLCy7dnpuCeRrvbiQOHsHtqwWi5SKbyJUEh602WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="501792075" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:22:15 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 0E12A18000203 for ; Wed, 15 Jul 2026 17:22:15 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 2DF88CC037D; Wed, 15 Jul 2026 22:52:13 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 4/6] glib-2.0: Fix CVE-2026-58013 Date: Wed, 15 Jul 2026 22:51:40 +0530 Message-Id: <20260715172142.1146263-4-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172142.1146263-1-deeratho@cisco.com> References: <20260715172142.1146263-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:22:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241023 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58013. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/6a2583dec39bfe05553b16d9b7419d6c2a257244 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58013 Signed-off-by: Deepak Rathore --- .../glib-2.0/files/CVE-2026-58013.patch | 140 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 1 + 2 files changed, 141 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58013.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58013.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58013.patch new file mode 100644 index 0000000000..5677c91e09 --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58013.patch @@ -0,0 +1,140 @@ +From 6ced6ddb7c85bd7b6bd614835c030983078662d6 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 28 Apr 2026 16:45:14 +0100 +Subject: [PATCH] giochannel: Fix memcmp() off the end of the buffer with long + terminators +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the line terminator is longer than a single byte, and the current +line extends to the end of the buffer, and the buffer (which is a +`GString`) is near a power of two in length (as that’s how `GString`s +are allocated) it’s possible for the `memcmp()` which checks the +terminator to read off the end of the string buffer. + +Fix that by checking the terminator length against the last character +before calling `memcmp()`. Add a unit test. + +Spotted by linhlhq as #YWH-PGM9867-199. The fix is theirs (validated by +me), and the unit test is adapted from their proof of concept. + +Fixes: #3925 + +CVE: CVE-2026-58013 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6a2583dec39bfe05553b16d9b7419d6c2a257244] + +Backport Changes: +- Added the include for the regression test because these target + branches do not otherwise expose uint8_t in glib/tests/io-channel.c. + +Signed-off-by: Philip Withnall +(cherry picked from commit 6a2583dec39bfe05553b16d9b7419d6c2a257244) +Signed-off-by: Deepak Rathore +--- + glib/giochannel.c | 3 ++- + glib/tests/io-channel.c | 61 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index e54aea256..640f698cb 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -1828,7 +1828,8 @@ read_again: + { + if (channel->line_term) + { +- if (memcmp (channel->line_term, nextchar, line_term_len) == 0) ++ if ((size_t) (lastchar - nextchar) >= line_term_len && ++ memcmp (channel->line_term, nextchar, line_term_len) == 0) + { + line_length = nextchar - use_buf->str; + got_term_len = line_term_len; +diff --git a/glib/tests/io-channel.c b/glib/tests/io-channel.c +index cab486932..3ff5d38e3 100644 +--- a/glib/tests/io-channel.c ++++ b/glib/tests/io-channel.c +@@ -29,6 +29,7 @@ + + #include + #include ++#include + + static void + test_small_writes (void) +@@ -228,6 +229,65 @@ test_read_line_embedded_nuls (void) + g_free (filename); + } + ++static void ++test_read_line_long_terminator (void) ++{ ++ uint8_t *test_data = NULL; ++ size_t test_data_len = 0; ++ int fd; ++ char *filename = NULL; ++ GIOChannel *channel = NULL; ++ GError *local_error = NULL; ++ char *line = NULL; ++ size_t line_length, terminator_pos; ++ const char *line_term; ++ int line_term_length; ++ GIOStatus status; ++ ++ g_test_summary ("Test that reading a line when using a long terminator doesn’t over-read the buffer."); ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/work_items/3925"); ++ ++ /* Write out a temporary file containing 2047 bytes. This is enough to make it ++ * near the length of the GString buffer when read back in. */ ++ fd = g_file_open_tmp ("glib-test-io-channel-XXXXXX", &filename, &local_error); ++ g_assert_no_error (local_error); ++ g_close (g_steal_fd (&fd), NULL); ++ ++ test_data_len = 2047; ++ test_data = g_malloc (test_data_len); ++ memset (test_data, 'M', test_data_len); ++ g_file_set_contents (filename, (const gchar *) test_data, test_data_len, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Create the channel. */ ++ channel = g_io_channel_new_file (filename, "r", &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Use a long line terminator so it could potentially over-read the end of the buffer. */ ++ g_io_channel_set_line_term (channel, "DEADBEEF", 8); ++ ++ line_term = g_io_channel_get_line_term (channel, &line_term_length); ++ g_assert_cmpstr (line_term, ==, "DEADBEEF"); ++ g_assert_cmpint (line_term_length, ==, 8); ++ ++ g_io_channel_set_encoding (channel, "UTF-8", &local_error); ++ g_assert_no_error (local_error); ++ ++ status = g_io_channel_read_line (channel, &line, &line_length, ++ &terminator_pos, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (status, ==, G_IO_STATUS_NORMAL); ++ g_assert_cmpuint (line_length, ==, 2047); ++ g_assert_cmpuint (terminator_pos, ==, 2047); ++ g_assert_cmpmem (line, line_length, test_data, test_data_len); ++ ++ g_free (line); ++ g_io_channel_unref (channel); ++ g_free (test_data); ++ g_unlink (filename); ++ g_free (filename); ++} ++ + int + main (int argc, + char *argv[]) +@@ -236,6 +295,7 @@ main (int argc, + + g_test_add_func ("/io-channel/read-write", test_read_write); + g_test_add_func ("/io-channel/read-line/embedded-nuls", test_read_line_embedded_nuls); ++ g_test_add_func ("/io-channel/read-line/long-terminator", test_read_line_long_terminator); + + return g_test_run (); + } +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 767f63d6d9..2da58cad2f 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -236,6 +236,7 @@ SRC_URI += "\ file://CVE-2026-58010.patch \ file://CVE-2026-58011.patch \ file://CVE-2026-58012.patch \ + file://CVE-2026-58013.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:21:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92594 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85518C4450E for ; Wed, 15 Jul 2026 17:22:21 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.376.1784136139026162008 for ; Wed, 15 Jul 2026 10:22:19 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=EJnQWXEx; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5128; q=dns/txt; s=iport01; t=1784136139; x=1785345739; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=TmkESNh+dOtBsX/3/u8ko7unlalUCue7TB6w2JswY4w=; b=EJnQWXExzlG4Vo3wX6+CdlUVOZuM1ZV9FX9+xXeZ7nySnm7gOe6hj7FS a2xesIdCyJ+C9RXxTU0il3kQOzpWvYvguK/3UaWiqmoihKuPZg/+R5/vu g34sXS3AMYcz4vFtwCky80LfheyM2/W2RdbuQrNzg5QxX8j3JnO9Tmi5D X1Ux5imuuRX2Pl5Yii3Wmpy7xTQFrGMDq6bNZP3AUeyNv1Q7mKBOKnjTE z4xnJxCthJ+ZSBf96UKqtQC283gnXqavrDiQAmAY76UyLHn+8H36jv/5F P/JiMXA6wmxCM7E3H05UBDb1fnCiFOfNbtP4wW0y7MYmhuzzAUPwa/wcz w==; X-CSE-ConnectionGUID: J8uiJFOCTGW+2tZjgor3WA== X-CSE-MsgGUID: k8+eVCaNQumvoNVKcmDLYg== X-IPAS-Result: A0BHAgCFwFdq/5D/Ja1aglmCV3RfQkmUKYIhA54bgX4PAQEBD0QNBAEBhQUCjVECJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwFWHAMBAi8rIwgRCIMCAYJ0AxG9HYF5M4EBg2gCQ1DbLgEFBhQBgTiFP4ggXBgBhHwnGxuBcoEVg2mBBYFcAYEohn4EgiKBDIFagiSNckiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgVCBAoR2Ix8DOX+BMHVKdy1qEheBUYIUgRgDCxgNSBEsNxQbBD5uB41JJYFMcwGBDQErIlkKeFGTFRuSIaESCiiDdYwhlToaM4QElBeSUQuYfY4KllCEaYFoPIFHCwdwFTuCZ1MZD44tCwuFX4MUyS88NQsyAQEHAgcOAwuBaJAAgX4BAQ IronPort-Data: A9a23:WiBjR6wxpkXdPNdbXJR6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkUEx jMeXm+BOPeJNzP2eNEibYS/pE5Tu5XTmNcwSAM9/lhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 46aT/H3Ygf/hWYraz9MsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJGNmIIw61MFcPU5xt qYEGjICaQrYuMvjldpXSsE07igiBNPgMIVavjRryivUSK55B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cP3WjOX9PYH46tOuli2P2bz1fgFmUvqEwpWPUyWSd1ZCwaYKNJYLWGJw9ckCwp TKF8lrSCzcjKdmBzhy70Xmpqsv+knauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBWS4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:S9rq+aHeMJob3CB+pLqExMeALOsnbusQ8zAXPidKOHhom6Oj+f xG8M536fawskdzZJhCo6HkBED/exLhHPdOiOF7V4tKHjOW2ldAR7sM0WKN+VHd8lXFltJ15O NHb7V0DsH2ABxRiMb35xT9LvMbqeP3l5xBQYzlvg5QpcYAUdAH0ztE X-Talos-CUID: 9a23:761q1G3sKfonTYujQskmPrxfOJA4c1/z61zsDHD7U3pbSrKSUwSv0fYx X-Talos-MUID: 9a23:fuulDQR7SUd3HvFYRXTv1HJvCuxhxZ2zDV4Kt6slsMyoER1/bmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510076451" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:22:18 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id A58CD180003CF for ; Wed, 15 Jul 2026 17:22:17 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id C649BCC037D; Wed, 15 Jul 2026 22:52:15 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 5/6] glib-2.0: Fix CVE-2026-58014 Date: Wed, 15 Jul 2026 22:51:41 +0530 Message-Id: <20260715172142.1146263-5-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172142.1146263-1-deeratho@cisco.com> References: <20260715172142.1146263-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:22:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241024 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58014. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/94ecb5b44a1cae09f481dd5e693832f129948893 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58014 Signed-off-by: Deepak Rathore --- .../glib-2.0/files/CVE-2026-58014.patch | 106 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 1 + 2 files changed, 107 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58014.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58014.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58014.patch new file mode 100644 index 0000000000..41507aa549 --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58014.patch @@ -0,0 +1,106 @@ +From 3aa697cd4dce40df02ed75dbe51ba411ef45f004 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sat, 11 Apr 2026 14:42:57 +0100 +Subject: [PATCH] gkeyfile: Fix a one-byte heap under-read with + g_key_file_get_locale_string_list() + +If this method was called on a key file key which has an empty value, +`len == 0` and this leads to a one-byte under-read off the start of the +key file buffer. + +Spotted by linhlhq as #YWH-PGM9867-200. The suggested fix is theirs, and +the unit test is adapted from their report. I added the fuzzing test. + +Fixes: #3930 + +CVE: CVE-2026-58014 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/94ecb5b44a1cae09f481dd5e693832f129948893] + +Signed-off-by: Philip Withnall +(cherry picked from commit 94ecb5b44a1cae09f481dd5e693832f129948893) +Signed-off-by: Deepak Rathore +--- + fuzzing/fuzz_key.c | 9 +++++++++ + glib/gkeyfile.c | 2 +- + glib/tests/keyfile.c | 23 +++++++++++++++++++++++ + 3 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/fuzzing/fuzz_key.c b/fuzzing/fuzz_key.c +index 77cb684..7d00443 100644 +--- a/fuzzing/fuzz_key.c ++++ b/fuzzing/fuzz_key.c +@@ -26,11 +26,20 @@ test_parse (const gchar *data, + GKeyFileFlags flags) + { + GKeyFile *key = NULL; ++ char *comment = NULL; ++ char **list = NULL; + + key = g_key_file_new (); + g_key_file_load_from_data (key, (const gchar*) data, size, G_KEY_FILE_NONE, + NULL); + ++ /* Also try some additional parsing and see if it crashes */ ++ comment = g_key_file_get_comment (key, "group", "key", NULL); ++ g_free (comment); ++ ++ list = g_key_file_get_locale_string_list (key, "group", "key", "de", NULL, NULL); ++ g_strfreev (list); ++ + g_key_file_free (key); + } + +diff --git a/glib/gkeyfile.c b/glib/gkeyfile.c +index 84ddddc..5ee2296 100644 +--- a/glib/gkeyfile.c ++++ b/glib/gkeyfile.c +@@ -2462,7 +2462,7 @@ g_key_file_get_locale_string_list (GKeyFile *key_file, + } + + len = strlen (value); +- if (value[len - 1] == key_file->list_separator) ++ if (len > 0 && value[len - 1] == key_file->list_separator) + value[len - 1] = '\0'; + + list_separator[0] = key_file->list_separator; +diff --git a/glib/tests/keyfile.c b/glib/tests/keyfile.c +index 64a9ec3..da5cad8 100644 +--- a/glib/tests/keyfile.c ++++ b/glib/tests/keyfile.c +@@ -889,6 +889,28 @@ test_locale_string_multiple_loads (void) + g_free (old_locale); + } + ++static void ++test_locale_string_empty (void) ++{ ++ GKeyFile *keyfile = NULL; ++ GError *local_error = NULL; ++ const char *data = ++ "[valid]\n" ++ "key1=\n"; ++ ++ g_test_summary ("Check that loading an empty translatable string works"); ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/3930"); ++ ++ keyfile = g_key_file_new (); ++ ++ g_key_file_load_from_data (keyfile, data, -1, G_KEY_FILE_NONE, &local_error); ++ g_assert_no_error (local_error); ++ ++ check_locale_string_list_value (keyfile, "valid", "key1", NULL, NULL); ++ ++ g_key_file_free (keyfile); ++} ++ + static void + test_lists (void) + { +@@ -2011,6 +2033,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/keyfile/number", test_number); + g_test_add_func ("/keyfile/locale-string", test_locale_string); + g_test_add_func ("/keyfile/locale-string/multiple-loads", test_locale_string_multiple_loads); ++ g_test_add_func ("/keyfile/locale-string/empty", test_locale_string_empty); + g_test_add_func ("/keyfile/lists", test_lists); + g_test_add_func ("/keyfile/lists-set-get", test_lists_set_get); + g_test_add_func ("/keyfile/group-remove", test_group_remove); diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 2da58cad2f..018e6e55fb 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -237,6 +237,7 @@ SRC_URI += "\ file://CVE-2026-58011.patch \ file://CVE-2026-58012.patch \ file://CVE-2026-58013.patch \ + file://CVE-2026-58014.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:21:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92596 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78F90C44508 for ; Wed, 15 Jul 2026 17:22:31 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.378.1784136142789221291 for ; Wed, 15 Jul 2026 10:22:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=JvXEHhEV; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4730; q=dns/txt; s=iport01; t=1784136142; x=1785345742; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=SVfnwGZLVjnuRrTU95nZWYr960traIeb6xJew49BbDc=; b=JvXEHhEVj3lTCXq8Sneal46GAaVE6v0FCvyr5UzI6x1Q9XIZc7Cvsj2I IrWrzfY93Prfpultyj97cJiNtw85QnQuwKImwD+zEruCYoneXh8PlR2O4 fcr9BQPoxRSCFTSb7SIyx7/sm7mew40vLcgyzwLUIAM2cD369R31xeOek Mdk58gwq8UfJJR07iwCsSdLIgR+dt3AX6mJI7xLDFTGstRjVGxvpSHMYK 8Qg2QY++tylZPxqTXibnW73D8Q9Ry2eommHoMvbv6Z28liZlL9xxGMi+B 811OwKmFLcuiW8xUAQVbz3wZbnhP/ZTNC0mmKpe3CN3RnFxnM992tcK2O Q==; X-CSE-ConnectionGUID: TzO/Sx20TWmkMpYQimwYNA== X-CSE-MsgGUID: A0qb3UjuR2yAZc3mZVPwuA== X-IPAS-Result: A0BLAgCFwFdq/4v/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA4ETnQiBfg8BAQEPRA0EAQGFBQKNUQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwE0IhwDAQIDAiYCAisjCBABCIMCAYJ0AxEGvRd6fzOBAYNoAgJAAVDbLgEFBhQBgQouhT+DHQGFAlwYAYR8JxsbgXKBFYJzdoEFgVwBA4FGg3OCagSCIoEMgVqQFkiBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFQgQKEdiMfAzl/gTB1SnctahIXgVGCFIEYAwsYDUgRLDcUGwQ9AW4HjUklgj8xXQEpAoIDLxylUaESCiiDdYwhlToaM6psC5h9jgqVNoEahGmBaDyBRwsHcBWDIlMZD44tCwuFX4MUyS88NQIJMgEBBwIHDgMLgWiQAi2BTwEB IronPort-Data: A9a23:8cu6JaLJUGVmOFz0FE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENS3jABy TYeCmuEM/qINjbxL95yaYiz90xSu5OBzYAxSAod+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnQ0 T/Oi5eHYgH9hGcpajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1SHmZxBp1CotpIBGJr7 c0hKTUSXzaq0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBV7AtQIvIROPB4towMDUY358VW62BI ZBENHw2N0Wojx5nYj/7DLoykeqyj2X/dBVTqUmeouw85G27IAlZjeG1boKNJIbQLSlTtm/Av 2idwmbkOEsLHe6Ukj+3zEqzm8aayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1zfDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9EBpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:i3X9dqDtV1t3EBHlHemO55DYdb4zR+YMi2TDsHoBLiC9E/bo8/ xG88506faZslsssTQb6LO90cq7MBbhHOBOgLX5VI3KNGKNhILrFvAB0WKI+VLd8kPFmtK1rZ 0BT4FOTPvtEFN9kcH2pCO8E9om3Z271ZrAv5a585+oJjsaE52JKGxCe3+mLnE= X-Talos-CUID: 9a23:T4dx0Gh1dL5LkWrrKuY8X5WHyzJuTm/6i0zAeReENmNqbaWkcF6V55JCup87 X-Talos-MUID: 9a23:mzlCnA3TbZ6NQRm9eQ3n6WlOMDUjyvy3Ahswk4g84ditBycrPgWjtCuqa9py X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510600622" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:22:21 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 889B91800020D for ; Wed, 15 Jul 2026 17:22:21 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id A98E8CC037D; Wed, 15 Jul 2026 22:52:19 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 6/6] glib-2.0: Fix CVE-2026-58015 Date: Wed, 15 Jul 2026 22:51:42 +0530 Message-Id: <20260715172142.1146263-6-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172142.1146263-1-deeratho@cisco.com> References: <20260715172142.1146263-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:22:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241025 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58015. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/db9c8fae398b0c457e660ce63dd5afec8993046a [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58015 Signed-off-by: Deepak Rathore --- .../glib-2.0/files/CVE-2026-58015.patch | 95 +++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 1 + 2 files changed, 96 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58015.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58015.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58015.patch new file mode 100644 index 0000000000..25a7f3428b --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58015.patch @@ -0,0 +1,95 @@ +From 95ab8e4641a7bd9562872214af9335023c030aed Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 28 Apr 2026 15:47:30 +0100 +Subject: [PATCH] gdbusauthmechanismsha1: Validate cookie context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without validation, the server could send a malicious context which +contains path traversal characters, allowing it to exfiltrate a SHA-1 +hashed copy of arbitrary data from the client’s file system. + +To exploit this successfully would require the client to choose to +connect peer-to-peer to a malicious D-Bus server and to choose the SHA-1 +authentication mechanism in preference to all the other mechanisms. This +is vanishingly unlikely. + +Fixes: #3931 + +CVE: CVE-2026-58015 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/db9c8fae398b0c457e660ce63dd5afec8993046a] + +Backport Changes: +- Added include because the target branch does not otherwise + expose uint8_t used by the upstream validation code during native builds. + +Signed-off-by: Philip Withnall +(cherry picked from commit db9c8fae398b0c457e660ce63dd5afec8993046a) +Signed-off-by: Deepak Rathore +--- + gio/gdbusauthmechanismsha1.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/gio/gdbusauthmechanismsha1.c b/gio/gdbusauthmechanismsha1.c +index c8aa089..7f348d8 100644 +--- a/gio/gdbusauthmechanismsha1.c ++++ b/gio/gdbusauthmechanismsha1.c +@@ -22,6 +22,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -1198,6 +1198,34 @@ mechanism_client_initiate (GDBusAuthMechanism *mechanism, + return initial_response; + } + ++/* Context names must be valid ASCII, nonzero length, and may not contain the ++ * characters slash ("/"), backslash ("\"), space (" "), newline ("\n"), ++ * carriage return ("\r"), tab ("\t"), or period ("."). ++ * ++ * See https://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms-sha */ ++static gboolean ++validate_cookie_context (const char *cookie_context) ++{ ++ size_t i = 0; ++ ++ g_return_val_if_fail (cookie_context != NULL, FALSE); ++ ++ for (i = 0; cookie_context[i] != '\0'; i++) ++ { ++ if ((uint8_t) cookie_context[i] >= 128 || ++ cookie_context[i] == '/' || ++ cookie_context[i] == '\\' || ++ cookie_context[i] == ' ' || ++ cookie_context[i] == '\n' || ++ cookie_context[i] == '\r' || ++ cookie_context[i] == '\t' || ++ cookie_context[i] == '.') ++ return FALSE; ++ } ++ ++ return (i > 0); ++} ++ + static void + mechanism_client_data_receive (GDBusAuthMechanism *mechanism, + const gchar *data, +@@ -1232,6 +1260,14 @@ mechanism_client_data_receive (GDBusAuthMechanism *mechanism, + } + + cookie_context = tokens[0]; ++ if (!validate_cookie_context (tokens[0])) ++ { ++ g_free (m->priv->reject_reason); ++ m->priv->reject_reason = g_strdup_printf ("Malformed cookie_context '%s'", tokens[0]); ++ m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_REJECTED; ++ goto out; ++ } ++ + cookie_id = g_ascii_strtoll (tokens[1], &endp, 10); + if (*endp != '\0') + { diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 018e6e55fb..ec7a26c2a9 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -238,6 +238,7 @@ SRC_URI += "\ file://CVE-2026-58012.patch \ file://CVE-2026-58013.patch \ file://CVE-2026-58014.patch \ + file://CVE-2026-58015.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \