mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
69,239 Commits 38 Branches 617 Tags
32417b8ef75d4a464d9da746fddc80561641333c
Commit Graph

15 Commits

Author SHA1 Message Date
Peter Marko
32417b8ef7 glib-2.0: patch CVE-2025-14087 
Pick commits from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4933
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3834

(From OE-Core rev: 6e1ce2de818d647d69f652ab67c0c2d13860e77b)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:49:25 +00:00
Peter Marko
0092f97678 glib-2.0: patch CVE-2025-13601 
Pick commits from [1] per [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13601

(From OE-Core rev: eb0e4e0fce9378100e4482fc91d6886d84ef7ec2)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:49:25 +00:00
Peter Marko
b5d3231d38 glib-2.0: patch CVE-2025-7039 
Pick commit per [1].
Also pick commit which changed the same code before to apply it cleanly.

[1] https://security-tracker.debian.org/tracker/CVE-2025-7039

(From OE-Core rev: 79355004da104587b2fb40dcb76053431c6a6182)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-08-29 08:33:33 -07:00
Peter Marko
bedb86690f glib-2.0: ignore CVE-2025-4056 
NVD report [1] says:
A flaw was found in GLib. A denial of service on **Windows platforms**
may occur if an application attempts to spawn a program using long
command lines.

The fix [3] (linked from [2]) also changes only files
glib/gspawn-win32-helper.c
glib/gspawn-win32.c

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-4056
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3668
[3] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570

(From OE-Core rev: 8c69793deb78cf9718801825477938c22e229eca)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-08-22 07:07:19 -07:00
Praveen Kumar
097732e057 glib-2.0: fix CVE-2025-4373 
A flaw was found in GLib, which is vulnerable to an integer overflow
in the g_string_insert_unichar() function. When the position at which
to insert the character is large, the position will overflow, leading
to a buffer underwrite.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-4373
https://security-tracker.debian.org/tracker/CVE-2025-4373

Upstream-patches:
cc647f9e46
4d435bb480

(From OE-Core rev: 7a7319745637d4b681935ae71706dcc467df3040)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-05-28 08:46:32 -07:00
Peter Marko
04861f8c29 glib-2.0: patch CVE-2025-3360 
Backport commits from [1] fixing [2] for 2.82.x.

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647x

(From OE-Core rev: 606cc539ab19ae2bceb366eda7d4872c3763400f)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-05-02 08:12:41 -07:00
Jinfeng Wang
f9ff43bbf1 tzdata&tzcode-native: upgrade 2024a -> 2024b 
(From OE-Core rev: 5aa73ec35a3c65df62f17bc8196a35f28fd3522e)

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit c8d3edb2562ea4d980186e78b4abb5a94b1d7b22)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-12-02 06:23:20 -08:00
Vijay Anusuri
3be25b503f glib-2.0: Backport fix for CVE-2024-52533 
Upstream-Status: Backport from ec0b708b98

Reference: https://security-tracker.debian.org/tracker/CVE-2024-52533

(From OE-Core rev: c7ecdd6530e18efd651e2ea57565481f66f7b1cf)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-11-27 06:27:25 -08:00
Peter Marko
f13a220288 glib-2.0: patch regression of CVE-2023-32665 
Official CVE-2023-32665 patch introduced a regression for big-endian
architectures.
This code was backported in CVE-2023-32665-0003.patch

Reported in [1] and fixed by [2] where this patch is picked from.

[1] https://gitlab.gnome.org/GNOME/glib/-/issues/2839
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3136

(From OE-Core rev: 2400e143477cc93d4698df921bd89ef4b8b4692b)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-11-15 06:05:32 -08:00
Peter Marko
f27a1997b6 glib-2.0: patch CVE-2024-34397 
This is taken from https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4047
That MR was not merged as 2.72 is inactive branch now.
But it can be used by distributions, like Ubuntu did under
https://git.launchpad.net/ubuntu/+source/glib2.0/commit/?h=applied/ubuntu/jammy-security&id=94425c909b037c63c9dbbf72015f628ed4ad4aea

(From OE-Core rev: 95e8507848e3143eca83621f6572439e22f60bd4)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-06-26 05:04:39 -07:00
Soumya Sambu
a45c130dee glib-2.0: Fix CVE-2023-32643 and CVE-2023-32636 
fuzz_variant_binary_byteswap: Heap-buffer-overflow in g_variant_serialised_get_child

fuzz_variant_text: Timeout in fuzz_variant_text

(From OE-Core rev: f6b85f043f826862c6221bd0875b04aef7ab35ba)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2023-08-26 04:24:02 -10:00
Soumya Sambu
aae7997aea glib-2.0: Fix CVE-2023-29499 and CVE-2023-32611 
GVariant offset table entry size is not checked in is_normal()

g_variant_byteswap() can take a long time with some non-normal inputs

(From OE-Core rev: 5ed552ce97e22b449c1036f6c58944ab26db2f0d)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2023-08-26 04:24:02 -10:00
Soumya Sambu
f51146f6ee glib-2.0: Fix CVE-2023-32665 
GVariant deserialisation does not match spec for non-normal data

(From OE-Core rev: 2c1476bed55dc16a84b0fe163a4abb13e3ac5734)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2023-08-26 04:24:02 -10:00
Ross Burton
a6081883a3 glib-2.0: fix rare GFileInfo test case failure 
If a access or creation timestamp has 0 microseconds, then the test
fails as it doesn't expect this to be a valid value.  Expand a previous
fix for modification times to cover these timestamps too.

[ YOCTO #14373 ]

(From OE-Core rev: a4e29fe2bd3f834f8253716790fbbf032aad9fcc)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 15715e6ad81c97cd50e288f3745615eb19be90d1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2022-11-09 17:42:08 +00:00
Alexander Kanavin
fae45052cf glib-2.0: upgrade 2.72.2 -> 2.72.3 
Bugs fixed:

1941 disposing a non-cancelled inotify GFileMonitor causes deadlocks
2597 Crash in g_socket_client_enumerator_callback when proxy resolving
2639 xdgmime update breaks webkit2gtk file:// requests
2670 Growing memory when using cancellable in g_socket_client_connect_async
2703 glocalfilemonitor: Avoid file monitor destruction from event thread
2709 Backport !2707 “credentials: macos: check for existence of LOCAL_PEERPID” to glib-2-72
2720 Backport !2708 “xdgmime: Fix broken file:// content type lookups for webkitgtk” to glib-2-72
2750 Backport !2745 “gsocketclient: Fix still-reachable references to cancellables” to glib-2-72
2787 Backport !2742 “proxyaddressenumerator: set error parameter more thoughtfully” to glib-2-72

(From OE-Core rev: 0d9a2d4d659acf1747bf4ad328754579143fa07a)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3c4b0196be98fa2dad92f59ead6dd74b26be8ffd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2022-07-16 06:52:45 +01:00