From patchwork Wed Jul 15 17:23:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92599 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9746FC44501 for ; Wed, 15 Jul 2026 17:24:01 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.409.1784136240275108992 for ; Wed, 15 Jul 2026 10:24:00 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=NmG2bh+Y; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=6002; q=dns/txt; s=iport01; t=1784136240; x=1785345840; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=OzbvPQXOhj6PBKi3nLWOxyHFInYRQvvMD0TSxBdBhSU=; b=NmG2bh+YqiGoPhTIBwlEP4+gnnQXPffjCmQLEYTDrDY/S3C3fDSf2VKH De5hTPcNarwh1GIywxv4+CYG8Oh5tmg/6biSCRPWtYSsjgxoeQuhjjn4Y 57dT7nh5uDq14sgeqA0uXWFPm8FOdWwriS00U1UummkSHduRm9dnGKLEK djAlxfJJPoDuIypb+xD+IdncRB7tOP+/tALY7MceCDPjMezDwd6lYYw34 dAkn4X1ck0SWgz0Td982q2om0aZQiHGi1XZ5GcV9jChYY8WaCReE0gz2E uwkc/ik0fEmKZvgip6YGiSo/bPTz6NIn26tGKbVKYPRzh0feWsbF7Bydv w==; X-CSE-ConnectionGUID: y80LzUmHT+2gJ+Q0ofPYsg== X-CSE-MsgGUID: 7WOlTsdEQGGNJSpkaKbtrQ== X-IPAS-Result: A0BGAgCFwFdq/43/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhnh6Bfg8BAQEPRA0EAQGSWAImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaASkPARgBWQMBAgMCJgItIxgBCIMCAYJ0AxG9HXqBMoEBgygBPwJDUNsuAQsUAYEKLoU/gx0BhQJcGAGEfCcbG4FygRWDaYEFgVwBgSiEFIJqBIIigQyBWh6PeEiBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFQgQKEdiMfAzl/gTB1SnctahIXgVGCFIEYAwsYDUgRLDcUGwQ9AW4HjUklgj8BHlwTAQohIoFjJyKTE5I+oRIKKIN1jCGVOhozhASUF5JRC5h9jgqWUIRpgWg8gUcLB3AVgyIJShkPjioDCwuFX4MUyS88NQIBCDIBAQcCBw4DC4FokACBfgEB IronPort-Data: A9a23:lwjMQ6LeJovZluwLFE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENS3zJRm jNLWz+AaP+IYDP1e48iYYvg8k0B75/Qy4A3Sgsd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnQ0 T/Oi5eHYgH9hGcpajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1/XBkSL7Ad2to0W25st sVALz41XwuM0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBUbAtQIvIROPB4towMDUY358VW62BI ZBENHw2ME2ojx5nYj/7DLoykeqyj2X/dBVTqUmeouw85G27IAlZjeG1aouNKoPULSlTthmng Wb65GjUOz41Ev6k0TmM0XiwnNaayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1rfDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9EBpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:cARWH6zVEGoCXrUOOfRGKrPwGr1zdoMgy1knxilNoHtuA6mlfq GV7ZYmPHDP5gr5NEtMpTniAtjifZqjz/9ICOAqVN/INjUO01HGEGgN1+ffKkXbexHWx6p6yb pqdbR4BZnbCFh3itu/3SyDeuxQpOVuNMuT9IHjJ7AHd3AMV51d X-Talos-CUID: 9a23:NgahcWEp1Lz06/BcqmJ2pBYwCP0gUkGelnjyYHbgDmhReaaaHAo= X-Talos-MUID: 9a23:JsxS7w7H+g3EdV7mpOf4IK1Kxow33IOqNFsBvKwplO+mDjRzMhSXkC6OF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510290876" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:23:59 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id B3BD51800018F for ; Wed, 15 Jul 2026 17:23:58 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id D5CDDCC037D; Wed, 15 Jul 2026 22:53:56 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 1/6] glib-2.0: fix CVE-2026-58010 Date: Wed, 15 Jul 2026 22:53:25 +0530 Message-Id: <20260715172330.1149253-1-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:24:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241026 From: Deepak Rathore This patch applies the upstream 2.86.5 backport for CVE-2026-58010. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/aa1cb87d56111ef989811e824f0ac77484cc997f [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58010 Signed-off-by: Deepak Rathore --- .../glib-2.0/glib-2.0/CVE-2026-58010.patch | 113 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58010.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58010.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58010.patch new file mode 100644 index 0000000000..842d53af5c --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58010.patch @@ -0,0 +1,113 @@ +From 333f164f00fb874e3c670ce70d2a2a3667b9ebf9 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sun, 29 Mar 2026 19:10:41 +0100 +Subject: [PATCH] gvariant: Fix an off-by-one error in an offset comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows a single byte out-of-bounds read off the end of the +(potentially untrusted) byte array backing a `GVariant` when it’s +being checked for normal form. + +I can’t see how this could practically be exploited, but it’s certainly +a security bug as the `GVariant` normal form checking code is supposed +to be robust to malicious inputs. + +Spotted by linhlhq as #YWH-PGM9867-190, and fix and reproducer provided +by them too, thanks. Confirmed and turned into a unit test by me. + +Fixes: #3915 + +CVE: CVE-2026-58010 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/aa1cb87d56111ef989811e824f0ac77484cc997f] + +Signed-off-by: Philip Withnall +(cherry picked from commit aa1cb87d56111ef989811e824f0ac77484cc997f) +Signed-off-by: Deepak Rathore +--- + glib/gvariant-serialiser.c | 2 +- + glib/tests/gvariant.c | 48 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+), 1 deletion(-) + +diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +index 4e4a73ad1..99a1d3fbd 100644 +--- a/glib/gvariant-serialiser.c ++++ b/glib/gvariant-serialiser.c +@@ -1247,7 +1247,7 @@ gvs_tuple_is_normal (GVariantSerialised value) + + while (offset & alignment) + { +- if (offset > value.size || value.data[offset] != '\0') ++ if (offset >= value.size || value.data[offset] != '\0') + return FALSE; + offset++; + } +diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c +index c8f13360c..55e2cee00 100644 +--- a/glib/tests/gvariant.c ++++ b/glib/tests/gvariant.c +@@ -5637,6 +5637,52 @@ test_normal_checking_tuple_offsets5 (void) + g_variant_unref (variant); + } + ++/* This is a regression test that looping over the padding bytes in a short ++ * (non-normal) tuple doesn’t overflow the input data. ++ * ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/3915 */ ++static void ++test_normal_checking_tuple_offsets6 (void) ++{ ++ /* ++ * Type: (ynqiuxthdsog) — 12 members, first member 'y' (byte) has ++ * alignment 0, second 'n' (int16) has alignment 1. ++ * With 1 byte of data (0x28), after reading the first byte member, ++ * offset=1, alignment check for 'n' requires offset to be even, ++ * so the while loop checks value.data[1] — but size is only 1. ++ * ++ * Use heap allocation via GBytes so ASan reports heap-buffer-overflow. ++ */ ++ guint8 *heap_data = NULL; ++ GBytes *bytes = NULL; ++ const GVariantType *data_type = G_VARIANT_TYPE ("(ynqiuxthdsog)"); ++ GVariant *variant = NULL; ++ GVariant *normal_variant = NULL; ++ GVariant *expected = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/3915"); ++ ++ heap_data = g_malloc (1); ++ heap_data[0] = 0x28; ++ bytes = g_bytes_new_take (heap_data, 1); ++ ++ variant = g_variant_new_from_bytes (data_type, bytes, FALSE); ++ g_assert_nonnull (variant); ++ ++ g_assert_false (g_variant_is_normal_form (variant)); ++ ++ normal_variant = g_variant_get_normal_form (variant); ++ g_assert_nonnull (normal_variant); ++ ++ expected = g_variant_new_parsed ("(byte 0x28, int16 0, uint16 0, 0, uint32 0, int64 0, uint64 0, handle 0, 0.0, '', objectpath '/', signature '')"); ++ g_assert_cmpvariant (expected, variant); ++ g_assert_cmpvariant (expected, normal_variant); ++ ++ g_variant_unref (expected); ++ g_variant_unref (normal_variant); ++ g_variant_unref (variant); ++} ++ + /* Test that an otherwise-valid serialised GVariant is considered non-normal if + * its offset table entries are too wide. + * +@@ -5890,6 +5936,8 @@ main (int argc, char **argv) + test_normal_checking_tuple_offsets4); + g_test_add_func ("/gvariant/normal-checking/tuple-offsets5", + test_normal_checking_tuple_offsets5); ++ g_test_add_func ("/gvariant/normal-checking/tuple-offsets6", ++ test_normal_checking_tuple_offsets6); + g_test_add_func ("/gvariant/normal-checking/tuple-offsets/minimal-sized", + test_normal_checking_tuple_offsets_minimal_sized); + g_test_add_func ("/gvariant/normal-checking/empty-object-path", +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index b8212c9d12..32e578db3c 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -47,6 +47,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2026-1489-02.patch \ file://CVE-2026-1489-03.patch \ file://CVE-2026-1489-04.patch \ + file://CVE-2026-58010.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:23:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92600 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3B6CC4450E for ; Wed, 15 Jul 2026 17:24:35 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5.1784136267178675439 for ; Wed, 15 Jul 2026 10:24:27 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=fx6gcFrh; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4304; q=dns/txt; s=iport01; t=1784136267; x=1785345867; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=Rm1sgufhN+l9u80puQJho0B5sK8bGgR6vGHmdYztJ6E=; b=fx6gcFrhp9gZEtfdOub5DcUufh0y19SIwcIy7HknAy+AEsPTVI5hlFqA QyzQcdzgslCHqH0PuvTt/HNEYh9ELcVOZThSpOEph9vp3+R4zmgazqlwN x8x7LIJ/mbehSetno50OvNry/NJBCS3gougiw046bBaEBGSIQeqRYd7vo eYZuOBeKagm6+geKRwAyr8XPxaj/flIGtnFKdCvJvTeSoaWdhqT/GXLbA shMKAnsAvsAUac3ffLunsYZs8Kq8FwqHYGl+wL2cLNQt3xzGt/tM2NcAk orgUFsPVvAyK+ERsq/Skhps89nwK/N0hLZFA88F5gaCvc8o1fKvgYQdcF g==; X-CSE-ConnectionGUID: wJO0JG+MRjmnUvqeKWvLqw== X-CSE-MsgGUID: HKDcgLibTUWGAorusKkEQQ== X-IPAS-Result: A0BLAgDtwVdq/4r/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA4ETnQiBfg8BAQEPRA0EAQGFBQKNUQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwEYAT0cAwECAwImAgIrIwgQAQiDAgGCdAMRvUR6fzOBAYMoAT8CQ1DbLgELFAGBCi6FP4MdAYUCXBgBhHwnGxuBcoEVgnN2gQWBXAGBKIQUgmoEgiKBDIFaHo95SIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYEdgVCBAoR2Ix8DOX+BMHVKdy1qEheBUYIUgRoDCxgNSBEsNxQbBD0BbgeNSiWCOAeBDgErF4I5pU+hEgoog3WMIZU6GjOqbAuYfY4KlXNdhGmBaDyBRwsHcBWDIglKGQ+OLQsLhV+DFMkFPDUCAQgyAQEHAgcOAwuBaJAAAiYHgU8BAQ IronPort-Data: A9a23:WNFkN6NG+pppyirvrR30lsFynXyQoLVcMsEvi/4bfWQNrUp21jcBn 2MdC2iHOauLMGDzLdpxPI62oElSsZODnYJkSnM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCeaphyFTmE+kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/WV7lV e/a+ZWFZgf6gmMsawr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlMDxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj6+pMKxkUEs49wORyB1xQ7 PE7Fy4pdw/W0opawJrjIgVtrt4oIM+uOMYUvWttiGmAS/0nWpvEBa7N4Le03h9p2ZsIRqmYP ZdEL2M0PHwsYDUXUrsTIJ4zkf2hmnn4WzZZs1mS46Ew5gA/ySQsieC3YYOMI4ziqcN9vmW0r W3i/m7FPy41HduF1CGm8V+Vv7qa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++MukCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXKIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:UNZlsqnq3FCknRqyI8kppq9G8WzpDfIO3DAbv31ZSRFFG/Fw8P re+8jztCWE7Ar5N0tPpTntAsS9qDbnhP1ICOoqTNKftXfd2VdARbsKheCJ/9SjIVydygc378 hdmsZFZOEYdWIbse/KpC+lDt0n3N6LtIqshevY0jNRaDsCUdAH0++8YTzranGfg2J9dOMEKK Y= X-Talos-CUID: 9a23:/1oW02izLZSke8lYyruaTYV6BTJubV/6lFX/YGqCC2NvdaOMRHyv5od9jJ87 X-Talos-MUID: 9a23:DMRMrQhwLbzsmxS/LzC7gMMpFORE6KuKCUoxrKopks6eKDdTOBqktWHi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510291118" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:24:18 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id EBDBB180001CD for ; Wed, 15 Jul 2026 17:24:17 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 196D8CC037D; Wed, 15 Jul 2026 22:54:16 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 2/6] glib-2.0: fix CVE-2026-58011 Date: Wed, 15 Jul 2026 22:53:26 +0530 Message-Id: <20260715172330.1149253-2-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172330.1149253-1-deeratho@cisco.com> References: <20260715172330.1149253-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:24:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241027 From: Deepak Rathore This patch applies the upstream 2.86.5 backport for CVE-2026-58011. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/ae27363f025ffc131e2d75ee88a5cd8320dffe3b [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58011 Signed-off-by: Deepak Rathore --- .../glib-2.0/glib-2.0/CVE-2026-58011.patch | 78 +++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58011.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58011.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58011.patch new file mode 100644 index 0000000000..a8d31c1270 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58011.patch @@ -0,0 +1,78 @@ +From 371dbccb6b9a9a42b93c4b371214b159e7e94792 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sun, 29 Mar 2026 23:46:17 +0100 +Subject: [PATCH] gdatetime: Add missing range validation to + g_date_time_add_full() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise it’s possible to create a non-`NULL` but invalid `GDateTime`, +which breaks all kinds of internal assumptions. + +Spotted by linhlhq as #YWH-PGM9867-191. Thanks to them for providing a +suggested fix and a test case, which I have adapted and validated. + +Fixes: #3917 + +CVE: CVE-2026-58011 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ae27363f025ffc131e2d75ee88a5cd8320dffe3b] + +Backport Changes: +- Used the target branch's existing literal day bounds because it does + not have upstream's MIN_DAYS/MAX_DAYS helper macros. + +Signed-off-by: Philip Withnall +(cherry picked from commit ae27363f025ffc131e2d75ee88a5cd8320dffe3b) +Signed-off-by: Deepak Rathore +--- + glib/gdatetime.c | 4 +++- + glib/tests/gdatetime.c | 18 ++++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index 2640e3b24..73eea643b 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -2024,7 +2024,9 @@ g_date_time_add_full (GDateTime *datetime, + new->days = full_time / USEC_PER_DAY; + new->usec = full_time % USEC_PER_DAY; + +- /* XXX validate */ ++ /* Validate it’s still in the range 0001-01-01 to 9999-12-31 */ ++ if (new->days < 1 || new->days > 3652059) ++ g_clear_pointer (&new, g_date_time_unref); + + return new; + } +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 49390c900..527d61a11 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -1117,6 +1117,24 @@ test_GDateTime_add_full (void) + TEST_ADD_FULL (2010, 8, 25, 22, 45, 0, + 0, 1, 6, 1, 25, 0, + 2010, 10, 2, 0, 10, 0); ++ ++#define TEST_ADD_FULL_ERROR(y,m,d,h,mi,s,ay,am,ad,ah,ami,as) G_STMT_START { \ ++ GDateTime *dt; \ ++ dt = g_date_time_new_utc (y, m, d, h, mi, s); \ ++ g_assert_null (g_date_time_add_full (dt, ay, am, ad, ah, ami, as)); \ ++ g_date_time_unref (dt); \ ++} G_STMT_END ++ ++ TEST_ADD_FULL_ERROR ( 1, 12, 1, 0, 0, 0, ++ -1, 0, 0, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 1, 12, 1, 0, 0, 0, ++ 10000, 0, 0, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 9999, 12, 1, 0, 0, 0, ++ -10000, 0, 0, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 1, 12, 1, 0, 0, 0, ++ 0, 0, 3660001, 0, 0, 0); ++ TEST_ADD_FULL_ERROR ( 9999, 12, 1, 0, 0, 0, ++ 0, 0, -3660001, 0, 0, 0); + } + + static void +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index 32e578db3c..6532d7eac0 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -48,6 +48,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2026-1489-03.patch \ file://CVE-2026-1489-04.patch \ file://CVE-2026-58010.patch \ + file://CVE-2026-58011.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:23:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92602 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1E5CC44501 for ; Wed, 15 Jul 2026 17:24:35 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7.1784136268430520106 for ; Wed, 15 Jul 2026 10:24:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=EczvyIpw; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=9673; q=dns/txt; s=iport01; t=1784136268; x=1785345868; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=5YZOm04AnEgetuyBNQ+NNeLsL960OLNOwNk7OXzvXCM=; b=EczvyIpw1HsuZ/ZOxu9AZNGjOj27BIfhypboD4StJ8zREWqsp7cHpDE0 HAJmrP0kDsIyVhGzZVvlf3OacmihQr6Imw4Nl2ZwmcAUSKOydu9NstQYg uBUgX+Rm0MmyhKZSyfOMV8l8D4UbS0ozaoZspjny38ENRy+jF+8DjZFxx zyGcl4RX6wX7a65GRaHELFwPWzHvvpKWaSKIjgplvt7ByZ2SUo7MSIeXx M/yJwuaogZ+2ZGl+mv1+zjvCXL3SDHWYpnunxyMI/rLVTwCTT4sdvCssy gAnY5Xt4VlmtmUimnSrn19Ki27NTZ+pDIwJtL8gJ4rI2PTHfwk0JbdXj9 Q==; X-CSE-ConnectionGUID: WkhpngH1SJazrM53dv16IA== X-CSE-MsgGUID: NgrGKMl4QG+lkF4+tIURqA== X-IPAS-Result: A0BKAgBwwVdq/47/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA54bgX4PAQEBD0QNBAEBhQUCjVECJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMjBAsBGAE9HAMBAgMCJgICKyMIEQiDAgGCdAMRvTJ6fzOBAYMoAT8CQ1DbLgELFAGBCi6FP4MdAYUCXBgBhHwnGxuBcoEVg2mBBYFcAYU8gmoEgiKBDIFaHoIGjXNIgQIcA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+FzRYGwcFgR2BUIEChHYjHwM5f4EwdUp3LWoSF4FRghSBGgMLGA1IESw3FBsEPQFuB41KJYI4BgGBBAoBKyJ+gS6TEwEJkjShEgoog3WMIZU6GjOEBJQXklELmH2OCpYOQoRpgWg8gSgcAwsHcBU7gmcJShkPjioDCwuFX4MUyQU8NQIBCDIBAQcCBw4DC4FokX4BAQ IronPort-Data: A9a23:vZXOmq0IT/icDQPrTPbD5YJwkn2cJEfYwER7XKvMYLTBsI5bp2YAn zFND2yBaf+Ja2f3fdlzao619xlXucfWz99rGQRk3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX5 Lsen+WFYAX7g2EtbzpNg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGM0I2JYsX2r9MI2hc7 9lFczwTN06irrfjqF67YrEEasULNsLnOsYb/3pn1zycVatgSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUiaC/FMEg9/5JYWkOqlnHDjczpwo1OOrq1x6G/WpOB0+OW1YYCPIIXRG625mG6+q Xjp3EH9Xig1d9ic52bG7lORvPbmyHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl7EQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYSj1Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:jcL0QKFx04QzPtOppLqEyseALOsnbusQ8zAXPidKOHtom62j5q STdZsguyMc5Ax9ZJhko6HiBEDiewK4yXcK2+gs1N6ZNWGM0ldAbrsSj7cKqAeOJ8SRzIJgPN 9bE5RWOZnXEUVwi9r87U2TFtYtx8TCzYWT7N2uqUuEiWpRGtldB8ATMHfjLnFL X-Talos-CUID: 9a23:GAOhjWApMwoI+7H6ExZk9FYSFeB8SV/U3m31fhS0Fz83aZTAHA== X-Talos-MUID: 9a23:VUtTQw4SNi4wWqD7eyO7xNcWxoxO7L6BK2UJzawp+M2HG3AzJxagti2eF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="509222136" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:24:27 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 1C5E818000201 for ; Wed, 15 Jul 2026 17:24:27 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 3EDA1CC037D; Wed, 15 Jul 2026 22:54:25 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 3/6] glib-2.0: fix CVE-2026-58012 Date: Wed, 15 Jul 2026 22:53:27 +0530 Message-Id: <20260715172330.1149253-3-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172330.1149253-1-deeratho@cisco.com> References: <20260715172330.1149253-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:24:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241028 From: Deepak Rathore This patch applies the upstream 2.86.5 backport for CVE-2026-58012. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/d337aabd24ee2b8ac2a690dba3ccf26aa70e638f [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58012 Signed-off-by: Deepak Rathore --- .../glib-2.0/glib-2.0/CVE-2026-58012.patch | 228 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58012.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58012.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58012.patch new file mode 100644 index 0000000000..7f8435809c --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58012.patch @@ -0,0 +1,228 @@ +From 74564fefcec22fc1efc187c36aa1fb8dcfe34454 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 31 Mar 2026 16:13:57 +0100 +Subject: [PATCH] gregex: Fix case changing substitutions with G_REGEX_RAW + +In `G_REGEX_RAW` mode, the input string is treated as a byte array +(basically ASCII) rather than a unichar array. Accordingly, the case +changing code for substitutions needs to operate on bytes with +`G_REGEX_RAW`, rather than operating on unichars. + +This fixes a potential buffer overflow when trying to do a case change +on a match of a set of bytes which are a truncated multi-byte UTF-8 +encoding at the end of the input buffer. + +Spotted by linhlhq as #YWH-PGM9867-193. I adapted their reproducer as +the unit test, but implemented the fix in `gregex.c` independently. + +Fixes: #3918 + +CVE: CVE-2026-58012 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/d337aabd24ee2b8ac2a690dba3ccf26aa70e638f] + +Signed-off-by: Philip Withnall +(cherry picked from commit d337aabd24ee2b8ac2a690dba3ccf26aa70e638f) +Signed-off-by: Deepak Rathore +--- + glib/gregex.c | 59 ++++++++++++++++++++++++++++++++++------------ + glib/tests/regex.c | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 97 insertions(+), 15 deletions(-) + +diff --git a/glib/gregex.c b/glib/gregex.c +index 116ecacbb..496b34bbd 100644 +--- a/glib/gregex.c ++++ b/glib/gregex.c +@@ -3147,19 +3147,25 @@ split_replacement (const gchar *replacement, + return g_list_reverse (list); + } + +-/* Change the case of c based on change_case. */ +-#define CHANGE_CASE(c, change_case) \ ++/* Change the case of c based on change_case. ++ * g_ascii_to*() will happily pass through non-ASCII bytes unchanged. */ ++#define UTF8_CHANGE_CASE(c, change_case) \ + (((change_case) & CHANGE_CASE_LOWER_MASK) ? \ + g_unichar_tolower (c) : \ + g_unichar_toupper (c)) ++#define RAW_CHANGE_CASE(c, change_case) \ ++ (((change_case) & CHANGE_CASE_LOWER_MASK) ? \ ++ g_ascii_tolower (c) : \ ++ g_ascii_toupper (c)) + ++/* If @text_is_raw is set, @text might not be valid UTF-8 (but will be ++ * nul-terminated). */ + static void + string_append (GString *string, + const gchar *text, ++ gboolean text_is_raw, + ChangeCase *change_case) + { +- gunichar c; +- + if (text[0] == '\0') + return; + +@@ -3169,22 +3175,44 @@ string_append (GString *string, + } + else if (*change_case & CHANGE_CASE_SINGLE_MASK) + { +- c = g_utf8_get_char (text); +- g_string_append_unichar (string, CHANGE_CASE (c, *change_case)); +- g_string_append (string, g_utf8_next_char (text)); ++ if (!text_is_raw) ++ { ++ gunichar c = g_utf8_get_char (text); ++ g_string_append_unichar (string, UTF8_CHANGE_CASE (c, *change_case)); ++ g_string_append (string, g_utf8_next_char (text)); ++ } ++ else ++ { ++ g_string_append_c (string, RAW_CHANGE_CASE (text[0], *change_case)); ++ g_string_append (string, text + 1); ++ } ++ + *change_case = CHANGE_CASE_NONE; + } + else + { +- while (*text != '\0') ++ if (!text_is_raw) + { +- c = g_utf8_get_char (text); +- g_string_append_unichar (string, CHANGE_CASE (c, *change_case)); +- text = g_utf8_next_char (text); ++ while (*text != '\0') ++ { ++ gunichar c = g_utf8_get_char (text); ++ g_string_append_unichar (string, UTF8_CHANGE_CASE (c, *change_case)); ++ text = g_utf8_next_char (text); ++ } ++ } ++ else ++ { ++ while (*text != '\0') ++ { ++ char c = *text; ++ g_string_append_c (string, RAW_CHANGE_CASE (c, *change_case)); ++ text++; ++ } + } + } + } + ++/* @match_info is (nullable) */ + static gboolean + interpolate_replacement (const GMatchInfo *match_info, + GString *result, +@@ -3194,6 +3222,7 @@ interpolate_replacement (const GMatchInfo *match_info, + InterpolationData *idata; + gchar *match; + ChangeCase change_case = CHANGE_CASE_NONE; ++ gboolean is_raw = (match_info != NULL && (match_info->regex->orig_compile_opts & G_REGEX_RAW)); + + for (list = data; list; list = list->next) + { +@@ -3201,10 +3230,10 @@ interpolate_replacement (const GMatchInfo *match_info, + switch (idata->type) + { + case REPL_TYPE_STRING: +- string_append (result, idata->text, &change_case); ++ string_append (result, idata->text, is_raw, &change_case); + break; + case REPL_TYPE_CHARACTER: +- g_string_append_c (result, CHANGE_CASE (idata->c, change_case)); ++ g_string_append_c (result, UTF8_CHANGE_CASE (idata->c, change_case)); + if (change_case & CHANGE_CASE_SINGLE_MASK) + change_case = CHANGE_CASE_NONE; + break; +@@ -3212,7 +3241,7 @@ interpolate_replacement (const GMatchInfo *match_info, + match = g_match_info_fetch (match_info, idata->num); + if (match) + { +- string_append (result, match, &change_case); ++ string_append (result, match, is_raw, &change_case); + g_free (match); + } + break; +@@ -3220,7 +3249,7 @@ interpolate_replacement (const GMatchInfo *match_info, + match = g_match_info_fetch_named (match_info, idata->text); + if (match) + { +- string_append (result, match, &change_case); ++ string_append (result, match, is_raw, &change_case); + g_free (match); + } + break; +diff --git a/glib/tests/regex.c b/glib/tests/regex.c +index d7a698ec6..bffb52a87 100644 +--- a/glib/tests/regex.c ++++ b/glib/tests/regex.c +@@ -2529,6 +2529,58 @@ test_compiled_regex_after_jit_failure (void) + g_regex_unref (regex); + } + ++static void ++test_replace_raw_change_case (void) ++{ ++ GError *local_error = NULL; ++ GRegex *regex = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/3918"); ++ g_test_summary ("Test that case changes as part of a replacement are handled correctly in G_REGEX_RAW mode"); ++ ++ /* ++ * Match a multi-byte sequence in RAW mode. The pattern matches ++ * exactly 2 bytes. The subject contains a 4-byte UTF-8 lead (0xF4) ++ * followed by only one continuation byte, then NUL. ++ * ++ * The matched substring will be "\xf4\x80" (2 bytes, heap-allocated ++ * as 3-byte buffer with NUL). If the code regresses and tries to handle ++ * the replacement as UTF-8 then g_utf8_get_char() would see 0xF4 and try ++ * to read 4 bytes, going 1 byte past the NUL into OOB territory. ++ */ ++ regex = g_regex_new ("..", G_REGEX_RAW, 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* ++ * Build a subject string with truncated UTF-8. ++ * \xF4 = 4-byte UTF-8 lead byte ++ * \x80 = continuation byte ++ * No 3rd/4th continuation bytes — the match is only 2 bytes. ++ * ++ * \U\0 = uppercase the entire match → triggers string_append() ++ * with case change on the 2-byte non-UTF-8 match. ++ */ ++ char subject[] = "\xf4\x80"; ++ char *result = g_regex_replace (regex, subject, -1, 0, "\\U\\0", 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_pointer (&result, g_free); ++ g_clear_pointer (®ex, g_regex_unref); ++ ++ /* ++ * Second variant: single-char case change \u with \0 backreference. ++ */ ++ regex = g_regex_new (".", G_REGEX_RAW, 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ char subject2[] = "\xe6\xb0"; /* 3-byte UTF-8 lead, only 2 bytes */ ++ result = g_regex_replace (regex, subject2, -1, 0, "\\u\\0", 0, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_pointer (&result, g_free); ++ g_clear_pointer (®ex, g_regex_unref); ++} ++ + int + main (int argc, char *argv[]) + { +@@ -2550,6 +2602,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/regex/jit-unsupported-matching", test_jit_unsupported_matching_options); + g_test_add_func ("/regex/unmatched-named-subpattern", test_unmatched_named_subpattern); + g_test_add_func ("/regex/compiled-regex-after-jit-failure", test_compiled_regex_after_jit_failure); ++ g_test_add_func ("/regex/replace-raw-change-case", test_replace_raw_change_case); + + /* TEST_NEW(pattern, compile_opts, match_opts) */ + TEST_NEW("[A-Z]+", G_REGEX_CASELESS | G_REGEX_EXTENDED | G_REGEX_OPTIMIZE, G_REGEX_MATCH_NOTBOL | G_REGEX_MATCH_PARTIAL); +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index 6532d7eac0..2a4a1dad5b 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -49,6 +49,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2026-1489-04.patch \ file://CVE-2026-58010.patch \ file://CVE-2026-58011.patch \ + file://CVE-2026-58012.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:23:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92601 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2C44C44508 for ; Wed, 15 Jul 2026 17:24:35 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.11.1784136274298374170 for ; Wed, 15 Jul 2026 10:24:34 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=kuTFzIb3; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=6623; q=dns/txt; s=iport01; t=1784136274; x=1785345874; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=ueZogpofnpgauFZTDpOcb5YHpjdI8VBBm3gTBXoIPZs=; b=kuTFzIb3zXavWBEeu6I7F5N98yWZDLPijtjZSLD8UOr9ataB1osNH3QY gtd2XzE8tEclQLldTj7zPmbTIF4fBGav0Eo/CnoJ6hDswhlOg4befDovn RtsFgdYdunoyBqwv4mqaYMY1jjul9zwuPL24LJ/zfGSByTYnxNNthkLY2 c0ZH3oEer2C16VBk2S2cxxI0Mr0afjO0Pma5dCMn+4/msbDAx3sZXIJ8s 25PY6UiiUhsnHWITM6f5TooUCBA6frvenvknxrt1ubmIT8wzq42dLyH7Y OnhG6n/9wd/FM6DXNvgugGFx7BDC0/Ch1zMdVfgjVxLcZgrGYUMpt0g9o A==; X-CSE-ConnectionGUID: RsLCygjKRfu/oy8iZU52aQ== X-CSE-MsgGUID: kxyyRMI6QOalq3Ksqrxx2Q== X-IPAS-Result: A0BLAgD+wFdq/4z/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA4ETnQiBfg8BAQEPRA0EAQGFBQKNUQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwEYAT0cAwECAwImAgIrIwgQAQiDAgGCdAMRvQV6fzOBAYMoAT8CQ1DbLgELFAGBCi6FP4MdAYUCXBgBhHwnGxuBcoEVgnN2gQWBXAGBKBuDeYJqBIIigQyBWh6PeEiBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFQgQKEdiMfAzl/gTB1SnctahIXgVGCFIEYAwsYDUgRLDcUGwQ9AW4HjUklgj89UQErglAqpSWhEgoog3WMIZU6GjOEBJQXklELmH2OCpZQhGmBaDyBRwsHcBWDIglKGQ+OKgMLC4VfgxTJBTw1AgEIMgEBBwIHDgMLgWiQAAImBAOBTwEB IronPort-Data: A9a23:FnyHWazQsr5zmOhgmCF6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkUFn DEaUD2HMqrfZ2ryed5/PYu39kkPsMKAyoNhHgtoqFhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 46aT/H3Ygf/hWYraz9MsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJHstGaYJ9eRUO29Ts vsJeDE/U03ZjtvjldpXSsE07igiBNPgMIVavjRryivUSK59B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cO3WjOX9PYH46tOuli2P2bz1fgFmUvqEwpWPUyWSd1ZCwaIuJIoXSHJ49ckCwp XLX7l7cI08jE9Wb0GGm6Wu2lv+VpHauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBXS4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:zPYmAK8gdoZH2pgom4Zuk+D6I+orL9Y04lQ7vn2ZLiYlFfBw9v re+MjzuiWbtN98YhwdcJW7Scq9qBDnhPtICPcqXItKNTOO0ADDEGgh1/qB/9SKIULDH4BmuZ uIC5IfNPTASX5nkM39/A60V/wkwNWB7eSUoN229QYKcemvAJsQlzuQzW2gYzRLeDU= X-Talos-CUID: 9a23:1LakFGiEGTmKn0FGbUunBeG6fDJuSGb552bfIWyCB3suT6zFSG2tpfltqp87 X-Talos-MUID: 9a23:GAQ89gn5rAiNxy1MI/H8dnphJNZ52YGPVnkqmJEf4OqfLDZgK22k2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="509401013" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:24:33 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 1F321180001C7 for ; Wed, 15 Jul 2026 17:24:33 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 41D97CC037D; Wed, 15 Jul 2026 22:54:31 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 4/6] glib-2.0: fix CVE-2026-58013 Date: Wed, 15 Jul 2026 22:53:28 +0530 Message-Id: <20260715172330.1149253-4-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172330.1149253-1-deeratho@cisco.com> References: <20260715172330.1149253-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:24:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241029 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58013. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/6a2583dec39bfe05553b16d9b7419d6c2a257244 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58013 Signed-off-by: Deepak Rathore --- .../glib-2.0/glib-2.0/CVE-2026-58013.patch | 140 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 141 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58013.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58013.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58013.patch new file mode 100644 index 0000000000..fa3db56bdb --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58013.patch @@ -0,0 +1,140 @@ +From cb9d97e1b261d75eb8ea255e0a9f3e846d547af7 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 28 Apr 2026 16:45:14 +0100 +Subject: [PATCH] giochannel: Fix memcmp() off the end of the buffer with long + terminators +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the line terminator is longer than a single byte, and the current +line extends to the end of the buffer, and the buffer (which is a +`GString`) is near a power of two in length (as that’s how `GString`s +are allocated) it’s possible for the `memcmp()` which checks the +terminator to read off the end of the string buffer. + +Fix that by checking the terminator length against the last character +before calling `memcmp()`. Add a unit test. + +Spotted by linhlhq as #YWH-PGM9867-199. The fix is theirs (validated by +me), and the unit test is adapted from their proof of concept. + +Fixes: #3925 + +CVE: CVE-2026-58013 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6a2583dec39bfe05553b16d9b7419d6c2a257244] + +Backport Changes: +- Added the include for the regression test because these target + branches do not otherwise expose uint8_t in glib/tests/io-channel.c. + +Signed-off-by: Philip Withnall +(cherry picked from commit 6a2583dec39bfe05553b16d9b7419d6c2a257244) +Signed-off-by: Deepak Rathore +--- + glib/giochannel.c | 3 ++- + glib/tests/io-channel.c | 61 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index 7572c47a2..8d867d0fb 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -1833,7 +1833,8 @@ read_again: + { + if (channel->line_term) + { +- if (memcmp (channel->line_term, nextchar, line_term_len) == 0) ++ if ((size_t) (lastchar - nextchar) >= line_term_len && ++ memcmp (channel->line_term, nextchar, line_term_len) == 0) + { + line_length = nextchar - use_buf->str; + got_term_len = line_term_len; +diff --git a/glib/tests/io-channel.c b/glib/tests/io-channel.c +index c5dd01d04..cf81a9f6b 100644 +--- a/glib/tests/io-channel.c ++++ b/glib/tests/io-channel.c +@@ -29,6 +29,7 @@ + + #include + #include ++#include + + static void + test_small_writes (void) +@@ -216,6 +217,65 @@ test_read_line_embedded_nuls (void) + g_free (filename); + } + ++static void ++test_read_line_long_terminator (void) ++{ ++ uint8_t *test_data = NULL; ++ size_t test_data_len = 0; ++ int fd; ++ char *filename = NULL; ++ GIOChannel *channel = NULL; ++ GError *local_error = NULL; ++ char *line = NULL; ++ size_t line_length, terminator_pos; ++ const char *line_term; ++ int line_term_length; ++ GIOStatus status; ++ ++ g_test_summary ("Test that reading a line when using a long terminator doesn’t over-read the buffer."); ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/work_items/3925"); ++ ++ /* Write out a temporary file containing 2047 bytes. This is enough to make it ++ * near the length of the GString buffer when read back in. */ ++ fd = g_file_open_tmp ("glib-test-io-channel-XXXXXX", &filename, &local_error); ++ g_assert_no_error (local_error); ++ g_close (g_steal_fd (&fd), NULL); ++ ++ test_data_len = 2047; ++ test_data = g_malloc (test_data_len); ++ memset (test_data, 'M', test_data_len); ++ g_file_set_contents (filename, (const gchar *) test_data, test_data_len, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Create the channel. */ ++ channel = g_io_channel_new_file (filename, "r", &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Use a long line terminator so it could potentially over-read the end of the buffer. */ ++ g_io_channel_set_line_term (channel, "DEADBEEF", 8); ++ ++ line_term = g_io_channel_get_line_term (channel, &line_term_length); ++ g_assert_cmpstr (line_term, ==, "DEADBEEF"); ++ g_assert_cmpint (line_term_length, ==, 8); ++ ++ g_io_channel_set_encoding (channel, "UTF-8", &local_error); ++ g_assert_no_error (local_error); ++ ++ status = g_io_channel_read_line (channel, &line, &line_length, ++ &terminator_pos, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (status, ==, G_IO_STATUS_NORMAL); ++ g_assert_cmpuint (line_length, ==, 2047); ++ g_assert_cmpuint (terminator_pos, ==, 2047); ++ g_assert_cmpmem (line, line_length, test_data, test_data_len); ++ ++ g_free (line); ++ g_io_channel_unref (channel); ++ g_free (test_data); ++ g_unlink (filename); ++ g_free (filename); ++} ++ + int + main (int argc, + char *argv[]) +@@ -224,6 +283,7 @@ main (int argc, + + g_test_add_func ("/io-channel/read-write", test_read_write); + g_test_add_func ("/io-channel/read-line/embedded-nuls", test_read_line_embedded_nuls); ++ g_test_add_func ("/io-channel/read-line/long-terminator", test_read_line_long_terminator); + + return g_test_run (); + } +-- +2.35.6 diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index 2a4a1dad5b..5486969abb 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -50,6 +50,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2026-58010.patch \ file://CVE-2026-58011.patch \ file://CVE-2026-58012.patch \ + file://CVE-2026-58013.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:23:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92603 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6C3DC44501 for ; Wed, 15 Jul 2026 17:24:55 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.19.1784136290798318763 for ; Wed, 15 Jul 2026 10:24:50 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=JcVmczDe; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5241; q=dns/txt; s=iport01; t=1784136290; x=1785345890; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=lzm4+NyujaeY4vtiTErUmmNPL5un5fcXj7Lcgg6xTSs=; b=JcVmczDeVea/TVvGRa82T6gL6oFHrscJcFZ+u9kGUeFGbFzjubqfKdzE /+THttezGX4qb1kyenHAuFZLxpQ+Qorfe1DO2aNA2CtS879gFJ5XQQ67u H24NvLoYPKL96AmBmCBZJam4AAslLed5L1xYs+3NCR/3xJB9FYgrgI/uf Bch+lx7AqRC0dHmKSdPBICmv+I+bdGeqxiDO7mSh+U420whyq00f8rpuD JgK1seuM62+3NoGIgBundTVVu4FqAa10Jw1sQ23OOzteJ3gyvAlYQ70mN GfUbwrkGvdIZmMpGLbDXyqiIsvYZuD+SFA4x1j4o+A7CnfiXF1m6U7s/Y g==; X-CSE-ConnectionGUID: /34nwod+RPipuhWCpwpdNg== X-CSE-MsgGUID: vncknsiAQzGv42QTvzrtWA== X-IPAS-Result: A0BIAgDtwVdq/4//Ja1aglmCV3RfQkmUKYIhA54bgX4PAQEBD0QNBAEBhQUCjVECJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAT0cAwECLysjCBEIgwIBgnQDEb1EgXkzgQGDKAE/AkNQ2y4BCxQBgTiFP4ggXBgBhHwnGxuBcoEVg2mBBYFcAYEohn4EgiKBDIFaHoIGjXNIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFQgQKEdiMfAzl/gTB1SnctahIXgVGCFIEaAwsYDUgRLDcUGwQ+bgeNSiWBTHMBgQ0BKyJZCnhRkxUbkiGhEgoog3WMIZU6GjOEBJQXklELmH2OCpZQhGmBaDyBRwsHcBU7gmcJShkPji0LC4VfgxTJBTw1AgEIMgEBBwIHDgMLgWiQAIF+AQE IronPort-Data: A9a23:U4oxv6CRFhf4jRVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApDgh1WBVx 2BNUDuBPfzcNGOjeNonYdnkpkoGusTdm4RnOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jXmthh fuo+5eBYAD8hmYtWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TEhK4yCl4xMc4iwudvHGFx3 uQHMDwrYUXW7w626OrTpuhEnM8vKozveYgYoHwllW+fBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGY0BPjDS0Un1lM/BJ8zhu60hn7XeDxDo1XTrq0yi4TW5FEoiOGyYYOLI7RmQ+1LmE2bo HnH1l3rLQ9GbuWj1yif7k2F07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KKpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOf9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:J99As6xVRUt4K9YEmRlrKrPwAL1zdoMgy1knxilNoHtuA6ilfq +V8sjzuSWYtN9VYgBCpTniAtjkfZqjz/9ICOAqVN/INjUO+lHYTr2KhrGM/9SPIUHDH5ZmtZ tIQuxZFMD6C0R8gILR5Qm1FMtl/fy8mZrY4ts3CxxWPHhXg2YK1XYeNjqm X-Talos-CUID: 9a23:2hOvFGhzSTrj8Tc69X+qD9syKzJuNSaBymjXLwyCMWdxVb2qYkeP4K9CnJ87 X-Talos-MUID: 9a23:RjKmMwYWTRk0I+BTqTnnhzd5Ne5R8YuwVBo0rYsUodW7HHkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510179161" Received: from rcdn-l-core-06.cisco.com ([173.37.255.143]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:24:49 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-06.cisco.com (Postfix) with ESMTPS id 792831800025B for ; Wed, 15 Jul 2026 17:24:49 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 9B040CC037D; Wed, 15 Jul 2026 22:54:47 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 5/6] glib-2.0: fix CVE-2026-58014 Date: Wed, 15 Jul 2026 22:53:29 +0530 Message-Id: <20260715172330.1149253-5-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172330.1149253-1-deeratho@cisco.com> References: <20260715172330.1149253-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-06.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:24:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241030 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58014. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/94ecb5b44a1cae09f481dd5e693832f129948893 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58014 Signed-off-by: Deepak Rathore --- .../glib-2.0/glib-2.0/CVE-2026-58014.patch | 106 ++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 107 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58014.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58014.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58014.patch new file mode 100644 index 0000000000..4e5262b66d --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58014.patch @@ -0,0 +1,106 @@ +From ba0478c206bc04542df774343c6c85f77df49f6e Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sat, 11 Apr 2026 14:42:57 +0100 +Subject: [PATCH] gkeyfile: Fix a one-byte heap under-read with + g_key_file_get_locale_string_list() + +If this method was called on a key file key which has an empty value, +`len == 0` and this leads to a one-byte under-read off the start of the +key file buffer. + +Spotted by linhlhq as #YWH-PGM9867-200. The suggested fix is theirs, and +the unit test is adapted from their report. I added the fuzzing test. + +Fixes: #3930 + +CVE: CVE-2026-58014 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/94ecb5b44a1cae09f481dd5e693832f129948893] + +Signed-off-by: Philip Withnall +(cherry picked from commit 94ecb5b44a1cae09f481dd5e693832f129948893) +Signed-off-by: Deepak Rathore +--- + fuzzing/fuzz_key.c | 9 +++++++++ + glib/gkeyfile.c | 2 +- + glib/tests/keyfile.c | 23 +++++++++++++++++++++++ + 3 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/fuzzing/fuzz_key.c b/fuzzing/fuzz_key.c +index 77cb684..7d00443 100644 +--- a/fuzzing/fuzz_key.c ++++ b/fuzzing/fuzz_key.c +@@ -26,11 +26,20 @@ test_parse (const gchar *data, + GKeyFileFlags flags) + { + GKeyFile *key = NULL; ++ char *comment = NULL; ++ char **list = NULL; + + key = g_key_file_new (); + g_key_file_load_from_data (key, (const gchar*) data, size, G_KEY_FILE_NONE, + NULL); + ++ /* Also try some additional parsing and see if it crashes */ ++ comment = g_key_file_get_comment (key, "group", "key", NULL); ++ g_free (comment); ++ ++ list = g_key_file_get_locale_string_list (key, "group", "key", "de", NULL, NULL); ++ g_strfreev (list); ++ + g_key_file_free (key); + } + +diff --git a/glib/gkeyfile.c b/glib/gkeyfile.c +index d08a485..54d77a5 100644 +--- a/glib/gkeyfile.c ++++ b/glib/gkeyfile.c +@@ -2421,7 +2421,7 @@ g_key_file_get_locale_string_list (GKeyFile *key_file, + } + + len = strlen (value); +- if (value[len - 1] == key_file->list_separator) ++ if (len > 0 && value[len - 1] == key_file->list_separator) + value[len - 1] = '\0'; + + list_separator[0] = key_file->list_separator; +diff --git a/glib/tests/keyfile.c b/glib/tests/keyfile.c +index bc125c1..289bd2b 100644 +--- a/glib/tests/keyfile.c ++++ b/glib/tests/keyfile.c +@@ -850,6 +850,28 @@ test_locale_string_multiple_loads (void) + g_free (old_locale); + } + ++static void ++test_locale_string_empty (void) ++{ ++ GKeyFile *keyfile = NULL; ++ GError *local_error = NULL; ++ const char *data = ++ "[valid]\n" ++ "key1=\n"; ++ ++ g_test_summary ("Check that loading an empty translatable string works"); ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/3930"); ++ ++ keyfile = g_key_file_new (); ++ ++ g_key_file_load_from_data (keyfile, data, -1, G_KEY_FILE_NONE, &local_error); ++ g_assert_no_error (local_error); ++ ++ check_locale_string_list_value (keyfile, "valid", "key1", NULL, NULL); ++ ++ g_key_file_free (keyfile); ++} ++ + static void + test_lists (void) + { +@@ -1939,6 +1961,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/keyfile/number", test_number); + g_test_add_func ("/keyfile/locale-string", test_locale_string); + g_test_add_func ("/keyfile/locale-string/multiple-loads", test_locale_string_multiple_loads); ++ g_test_add_func ("/keyfile/locale-string/empty", test_locale_string_empty); + g_test_add_func ("/keyfile/lists", test_lists); + g_test_add_func ("/keyfile/lists-set-get", test_lists_set_get); + g_test_add_func ("/keyfile/group-remove", test_group_remove); diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index 5486969abb..9f1cdbe544 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -51,6 +51,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2026-58011.patch \ file://CVE-2026-58012.patch \ file://CVE-2026-58013.patch \ + file://CVE-2026-58014.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Wed Jul 15 17:23:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92604 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7318C44508 for ; Wed, 15 Jul 2026 17:25:05 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.22.1784136297670579124 for ; Wed, 15 Jul 2026 10:24:57 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=AgmlOsqY; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4843; q=dns/txt; s=iport01; t=1784136297; x=1785345897; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=Julhq5YmtL1x/3ex1NdNt2nqhcjn+DJRE3H+9Wb2gns=; b=AgmlOsqYWXBam5SWZJAvxdA4LnSilB1gvQ5F5xE+YgPNfANwkUjvXZD+ gy4giwYQq51VZMuqR8HO+2IaLAUoieNxXaPqeRZUVciEp7E4YTuGuINyY nG7P6GjKSUWiPIOlKhBWUJk/hTrd3FD730qf50jaR0e5oYb9QjVrn45IS nCc9F0jC9rqGadsACrEzN34FFcMSGdZaNr3hPa9TQ0EVx0Lx173IjPw5f WWafnkyyK469O4X/tNCe3ZH9VT3ud+/f12WIC2paZrSAY9OTlrP5J1mVB jSmAXO5tnHorUNoWhf4CKen1G29Q2i+vWzSEq4Id7nqK9bC/Ebb9b/M0E g==; X-CSE-ConnectionGUID: Hk/rTgrZTySplWYGeieqUw== X-CSE-MsgGUID: 3o1RKKa0R+CpbF8rLVjEgA== X-IPAS-Result: A0BLAgDtwVdq/5T/Ja1aHgEBCxIMggULgld0X0JJhFePUoIhA4ETnQiBfg8BAQEPRA0EAQGFBQKNUQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwEYARsiHAMBAgMCJgICKyMIEAEIgwIBgnQDEQa9Pnp/M4EBgygBPwICQAFQ2y4BCxQBgQouhT+DHQGFAlwYAYR8JxsbgXKBFYJzdoEFgVwBA4FGg3OCagSCIoEMgVoej3lIgQIcA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+FzRYGwcFgR2BUIEChHYjHwM5f4EwdUp3LWoSF4FRghSBGgMLGA1IESw3FBsEPQFuB41KJYI/MV0BKQKCAy8cpVGhEgoog3WMIZU6GjOqbAuYfY4KlTaBGoRpgWg8gUcLB3AVgyIJShkPji0LC4VfgxTJBTw1AgEIMgEBBwIHDgMLgWiQAi2BTwEB IronPort-Data: A9a23:FK1z66qRWoydzkjTaMO0U9+ABDZeBmJJZBIvgKrLsJaIsI4StFCzt garIBmObPaCZjGmKItxO9i28EIAuJaEyoNqSlBtqSE0FSpB9uPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgLNNwJcaDpOtfrc8U435ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0sZ0Rnty+ uYqFCE2dhS8ts27wb+id/Y506zPLOGzVG8ekmtrwTecCbMtRorOBvyTo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LWPrSn8/w7pX7WzFVpUicuaowy2PS1wd2lrPqNbI5f/TXHJ0MwRfC+ jquE2LRWRZDDv+8wGK/sVm0jMGfhwfFWq8dPejtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sYMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvpUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:kys3OK0sgsqf/bbyuRihhQqjBJAkLtp133Aq2lEZdPUzSL3+qy nOpoV+6faaslgssR0b9OxofZPwIk80lqQFhLX5Q43CYOCOggLBR+tfBMnZsl/d8kbFmdK1u5 0NT0EHMr3NJGk/q9rm6w+lFNtl6tyG/Ke0wdr69R5WPGdXg2UK1XYANu5deXcGPTV7OQ== X-Talos-CUID: 9a23:Jwqq4GmHbMe1n/DsL72DhnAryk3XOV3ei23sLFWKNXdSULmqeHCd+a59rtU7zg== X-Talos-MUID: 9a23:lNfZ7g9R5qtuY3+E/dFWwnKQf5xvup6NK0lVq9Yto8OqZTZUBTWwgx3iFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,165,1779148800"; d="scan'208";a="510179240" Received: from rcdn-l-core-11.cisco.com ([173.37.255.148]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 15 Jul 2026 17:24:56 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id 8776218000147 for ; Wed, 15 Jul 2026 17:24:56 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id A838FCC037D; Wed, 15 Jul 2026 22:54:54 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 6/6] glib-2.0: fix CVE-2026-58015 Date: Wed, 15 Jul 2026 22:53:30 +0530 Message-Id: <20260715172330.1149253-6-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260715172330.1149253-1-deeratho@cisco.com> References: <20260715172330.1149253-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-11.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jul 2026 17:25:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241031 From: Deepak Rathore This patch applies the upstream 2.88.1 backport for CVE-2026-58015. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/db9c8fae398b0c457e660ce63dd5afec8993046a [2] https://nvd.nist.gov/vuln/detail/CVE-2026-58015 Signed-off-by: Deepak Rathore --- .../glib-2.0/glib-2.0/CVE-2026-58015.patch | 95 +++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 96 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58015.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58015.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58015.patch new file mode 100644 index 0000000000..4af0c1aa29 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58015.patch @@ -0,0 +1,95 @@ +From 90119b27e94759d942d2e8eb55b13d17237b423d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 28 Apr 2026 15:47:30 +0100 +Subject: [PATCH] gdbusauthmechanismsha1: Validate cookie context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without validation, the server could send a malicious context which +contains path traversal characters, allowing it to exfiltrate a SHA-1 +hashed copy of arbitrary data from the client’s file system. + +To exploit this successfully would require the client to choose to +connect peer-to-peer to a malicious D-Bus server and to choose the SHA-1 +authentication mechanism in preference to all the other mechanisms. This +is vanishingly unlikely. + +Fixes: #3931 + +CVE: CVE-2026-58015 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/db9c8fae398b0c457e660ce63dd5afec8993046a] + +Backport Changes: +- Added include because the target branch does not otherwise + expose uint8_t used by the upstream validation code during native builds. + +Signed-off-by: Philip Withnall +(cherry picked from commit db9c8fae398b0c457e660ce63dd5afec8993046a) +Signed-off-by: Deepak Rathore +--- + gio/gdbusauthmechanismsha1.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/gio/gdbusauthmechanismsha1.c b/gio/gdbusauthmechanismsha1.c +index c8aa089..7f348d8 100644 +--- a/gio/gdbusauthmechanismsha1.c ++++ b/gio/gdbusauthmechanismsha1.c +@@ -22,6 +22,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -1198,6 +1198,34 @@ mechanism_client_initiate (GDBusAuthMechanism *mechanism, + return initial_response; + } + ++/* Context names must be valid ASCII, nonzero length, and may not contain the ++ * characters slash ("/"), backslash ("\"), space (" "), newline ("\n"), ++ * carriage return ("\r"), tab ("\t"), or period ("."). ++ * ++ * See https://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms-sha */ ++static gboolean ++validate_cookie_context (const char *cookie_context) ++{ ++ size_t i = 0; ++ ++ g_return_val_if_fail (cookie_context != NULL, FALSE); ++ ++ for (i = 0; cookie_context[i] != '\0'; i++) ++ { ++ if ((uint8_t) cookie_context[i] >= 128 || ++ cookie_context[i] == '/' || ++ cookie_context[i] == '\\' || ++ cookie_context[i] == ' ' || ++ cookie_context[i] == '\n' || ++ cookie_context[i] == '\r' || ++ cookie_context[i] == '\t' || ++ cookie_context[i] == '.') ++ return FALSE; ++ } ++ ++ return (i > 0); ++} ++ + static void + mechanism_client_data_receive (GDBusAuthMechanism *mechanism, + const gchar *data, +@@ -1232,6 +1260,14 @@ mechanism_client_data_receive (GDBusAuthMechanism *mechanism, + } + + cookie_context = tokens[0]; ++ if (!validate_cookie_context (tokens[0])) ++ { ++ g_free (m->priv->reject_reason); ++ m->priv->reject_reason = g_strdup_printf ("Malformed cookie_context '%s'", tokens[0]); ++ m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_REJECTED; ++ goto out; ++ } ++ + cookie_id = g_ascii_strtoll (tokens[1], &endp, 10); + if (*endp != '\0') + { diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index 9f1cdbe544..d3934fbee5 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -52,6 +52,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2026-58012.patch \ file://CVE-2026-58013.patch \ file://CVE-2026-58014.patch \ + file://CVE-2026-58015.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \