mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

glib-2.0: patch CVE-2025-14512

Browse Source 
Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3845

(From OE-Core rev: 2fb84f36c77e0d049a71dcfa597a67d297cbfd0a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Peter Marko
2025-12-31 10:55:44 +01:00
committed by Richard Purdie
parent 32417b8ef7
commit b06df1f496
2 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch Normal file
View File

@@ -0,0 +1,70 @@
From 1909d8ea9297287f1ff6862968608dcf06e60523 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 4 Dec 2025 16:37:19 +0000
Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
byte strings
The number of invalid characters in the byte string (characters which
would have to be percent-encoded) was only stored in an `int`, which
gave the possibility of a long string largely full of invalid
characters overflowing this and allowing an attacker-controlled buffer
size to be allocated.
This could be triggered by an attacker controlled file attribute (of
type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
being read by user code.
Spotted by Codean Labs.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3845
CVE: CVE-2025-14512
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/1909d8ea9297287f1ff6862968608dcf06e60523]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
gio/gfileattribute.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
index c6fde60fa..d3083e5bd 100644
--- a/gio/gfileattribute.c
+++ b/gio/gfileattribute.c
@@ -20,6 +20,7 @@
#include "config.h"
+#include <stdint.h>
#include <string.h>
#include "gfileattribute.h"
@@ -271,11 +272,12 @@ valid_char (char c)
return c >= 32 && c <= 126 && c != '\\';
}
+/* Returns NULL on error */
static char *
escape_byte_string (const char *str)
{
size_t i, len;
- int num_invalid;
+ size_t num_invalid;
char *escaped_val, *p;
unsigned char c;
const char hex_digits[] = "0123456789abcdef";
@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
return g_strdup (str);
else
{
- escaped_val = g_malloc (len + num_invalid*3 + 1);
+ /* Check for overflow. We want to check the inequality:
+ * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+ if (num_invalid >= (SIZE_MAX - len) / 3)
+ return NULL;
+
+ escaped_val = g_malloc (len + num_invalid * 3 + 1);
p = escaped_val;
for (i = 0; i < len; i++)

1
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
View File

@@ -69,6 +69,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-14087-01.patch \ file://CVE-2025-14087-01.patch \
file://CVE-2025-14087-02.patch \ file://CVE-2025-14087-02.patch \
file://CVE-2025-14087-03.patch \ file://CVE-2025-14087-03.patch \
file://CVE-2025-14512.patch \
" "
SRC_URI:append:class-native = " file://relocate-modules.patch" SRC_URI:append:class-native = " file://relocate-modules.patch"