mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-28 20:39:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

glib-2.0: patch CVE-2026-0988

Browse Source 
Pick relevant commit from [2] linked from [1].

[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944

(From OE-Core rev: 9df34167c74267b63d46c354efe9b3874efa062e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Peter Marko
2026-01-24 21:53:40 +01:00
committed by Richard Purdie
parent 236069b7e0
commit 53dbc9c218
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch Normal file
View File

@@ -0,0 +1,58 @@
From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 18 Dec 2025 23:12:18 +0000
Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
peek()
If the caller provides `offset` and `count` arguments which overflow,
their sum will overflow and could lead to `memcpy()` reading out more
memory than expected.
Spotted by Codean Labs.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3851
CVE: CVE-2026-0988
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
gio/gbufferedinputstream.c | 2 +-
gio/tests/buffered-input-stream.c | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
index 9e6bacc62..56d656be0 100644
--- a/gio/gbufferedinputstream.c
+++ b/gio/gbufferedinputstream.c
@@ -590,7 +590,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
available = g_buffered_input_stream_get_available (stream);
- if (offset > available)
+ if (offset > available || offset > G_MAXSIZE - count)
return 0;
end = MIN (offset + count, available);
diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
index a1af4eeff..2b2a0d9aa 100644
--- a/gio/tests/buffered-input-stream.c
+++ b/gio/tests/buffered-input-stream.c
@@ -60,6 +60,16 @@ test_peek (void)
g_assert_cmpint (npeek, ==, 0);
g_free (buffer);
+ buffer = g_new0 (char, 64);
+ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
+ buffer = g_new0 (char, 64);
+ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
g_object_unref (in);
g_object_unref (base);
}

1
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
View File

@@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-14087-02.patch \
file://CVE-2025-14087-03.patch \
file://CVE-2025-14512.patch \
file://CVE-2026-0988.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \