diff --git a/backport-CVE-2025-13601.patch b/backport-CVE-2025-13601.patch deleted file mode 100644 index acba3fd7bd2d403daba2cf4e60e26b40fcdb933c..0000000000000000000000000000000000000000 --- a/backport-CVE-2025-13601.patch +++ /dev/null @@ -1,261 +0,0 @@ -From 9bcd65ba5fa1b92ff0fb8380faea335ccef56253 Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Thu, 13 Nov 2025 18:27:22 +0000 -Subject: [PATCH 1/2] gconvert: Error out if g_escape_uri_string() would - overflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the string to escape contains a very large number of unacceptable -characters (which would need escaping), the calculation of the length of -the escaped string could overflow, leading to a potential write off the -end of the newly allocated string. - -In addition to that, the number of unacceptable characters was counted -in a signed integer, which would overflow to become negative, making it -easier for an attacker to craft an input string which would cause an -out-of-bounds write. - -Fix that by validating the allocation length, and using an unsigned -integer to count the number of unacceptable characters. - -Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme -from the Sovereign Tech Agency. ID: #YWH-PGM9867-134 - -Signed-off-by: Philip Withnall - -Fixes: #3827 - -Backport 2.86: Changed the translatable error message to re-use an -existing translatable string, to avoid adding new translatable strings -to a stable branch. The re-used string doesn’t perfectly match the -error, but it’s good enough given that no users will ever see it. ---- - glib/gconvert.c | 36 +++++++++++++++++++++++++----------- - 1 file changed, 25 insertions(+), 11 deletions(-) - -diff --git a/glib/gconvert.c b/glib/gconvert.c -index 7ad8ca018f..367e9b4661 100644 ---- a/glib/gconvert.c -+++ b/glib/gconvert.c -@@ -1336,8 +1336,9 @@ static const gchar hex[] = "0123456789ABCDEF"; - /* Note: This escape function works on file: URIs, but if you want to - * escape something else, please read RFC-2396 */ - static gchar * --g_escape_uri_string (const gchar *string, -- UnsafeCharacterSet mask) -+g_escape_uri_string (const gchar *string, -+ UnsafeCharacterSet mask, -+ GError **error) - { - #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask)) - -@@ -1345,7 +1346,7 @@ g_escape_uri_string (const gchar *string, - gchar *q; - gchar *result; - int c; -- gint unacceptable; -+ size_t unacceptable; - UnsafeCharacterSet use_mask; - - g_return_val_if_fail (mask == UNSAFE_ALL -@@ -1362,7 +1363,14 @@ g_escape_uri_string (const gchar *string, - if (!ACCEPTABLE (c)) - unacceptable++; - } -- -+ -+ if (unacceptable >= (G_MAXSIZE - (p - string)) / 2) -+ { -+ g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI, -+ _("Invalid hostname")); -+ return NULL; -+ } -+ - result = g_malloc (p - string + unacceptable * 2 + 1); - - use_mask = mask; -@@ -1387,12 +1395,13 @@ g_escape_uri_string (const gchar *string, - - - static gchar * --g_escape_file_uri (const gchar *hostname, -- const gchar *pathname) -+g_escape_file_uri (const gchar *hostname, -+ const gchar *pathname, -+ GError **error) - { - char *escaped_hostname = NULL; -- char *escaped_path; -- char *res; -+ char *escaped_path = NULL; -+ char *res = NULL; - - #ifdef G_OS_WIN32 - char *p, *backslash; -@@ -1413,10 +1422,14 @@ g_escape_file_uri (const gchar *hostname, - - if (hostname && *hostname != '\0') - { -- escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST); -+ escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error); -+ if (escaped_hostname == NULL) -+ goto out; - } - -- escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH); -+ escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error); -+ if (escaped_path == NULL) -+ goto out; - - res = g_strconcat ("file://", - (escaped_hostname) ? escaped_hostname : "", -@@ -1424,6 +1437,7 @@ g_escape_file_uri (const gchar *hostname, - escaped_path, - NULL); - -+out: - #ifdef G_OS_WIN32 - g_free ((char *) pathname); - #endif -@@ -1757,7 +1771,7 @@ g_filename_to_uri (const gchar *filename, - hostname = NULL; - #endif - -- escaped_uri = g_escape_file_uri (hostname, filename); -+ escaped_uri = g_escape_file_uri (hostname, filename, error); - - return escaped_uri; - } --- -GitLab - - -From 7e5489cb921d0531ee4ebc9938da30a02084b2fa Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Thu, 13 Nov 2025 18:31:43 +0000 -Subject: [PATCH 2/2] fuzzing: Add fuzz tests for g_filename_{to,from}_uri() - -These functions could be called on untrusted input data, and since they -do URI escaping/unescaping, they have non-trivial string handling code. - -Signed-off-by: Philip Withnall - -See: #3827 ---- - fuzzing/fuzz_filename_from_uri.c | 40 ++++++++++++++++++++++++++++++++ - fuzzing/fuzz_filename_to_uri.c | 40 ++++++++++++++++++++++++++++++++ - fuzzing/meson.build | 2 ++ - 3 files changed, 82 insertions(+) - create mode 100644 fuzzing/fuzz_filename_from_uri.c - create mode 100644 fuzzing/fuzz_filename_to_uri.c - -diff --git a/fuzzing/fuzz_filename_from_uri.c b/fuzzing/fuzz_filename_from_uri.c -new file mode 100644 -index 0000000000..9b7a715f07 ---- /dev/null -+++ b/fuzzing/fuzz_filename_from_uri.c -@@ -0,0 +1,40 @@ -+/* -+ * Copyright 2025 GNOME Foundation, Inc. -+ * -+ * SPDX-License-Identifier: LGPL-2.1-or-later -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, see . -+ */ -+ -+#include "fuzz.h" -+ -+int -+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size) -+{ -+ unsigned char *nul_terminated_data = NULL; -+ char *filename = NULL; -+ GError *local_error = NULL; -+ -+ fuzz_set_logging_func (); -+ -+ /* ignore @size (g_filename_from_uri() doesn’t support it); ensure @data is nul-terminated */ -+ nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size); -+ filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error); -+ g_free (nul_terminated_data); -+ -+ g_free (filename); -+ g_clear_error (&local_error); -+ -+ return 0; -+} -diff --git a/fuzzing/fuzz_filename_to_uri.c b/fuzzing/fuzz_filename_to_uri.c -new file mode 100644 -index 0000000000..acb3192035 ---- /dev/null -+++ b/fuzzing/fuzz_filename_to_uri.c -@@ -0,0 +1,40 @@ -+/* -+ * Copyright 2025 GNOME Foundation, Inc. -+ * -+ * SPDX-License-Identifier: LGPL-2.1-or-later -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, see . -+ */ -+ -+#include "fuzz.h" -+ -+int -+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size) -+{ -+ unsigned char *nul_terminated_data = NULL; -+ char *uri = NULL; -+ GError *local_error = NULL; -+ -+ fuzz_set_logging_func (); -+ -+ /* ignore @size (g_filename_to_uri() doesn’t support it); ensure @data is nul-terminated */ -+ nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size); -+ uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error); -+ g_free (nul_terminated_data); -+ -+ g_free (uri); -+ g_clear_error (&local_error); -+ -+ return 0; -+} -diff --git a/fuzzing/meson.build b/fuzzing/meson.build -index addbe90717..05f936eeb2 100644 ---- a/fuzzing/meson.build -+++ b/fuzzing/meson.build -@@ -25,6 +25,8 @@ fuzz_targets = [ - 'fuzz_date_parse', - 'fuzz_date_time_new_from_iso8601', - 'fuzz_dbus_message', -+ 'fuzz_filename_from_uri', -+ 'fuzz_filename_to_uri', - 'fuzz_get_locale_variants', - 'fuzz_inet_address_mask_new_from_string', - 'fuzz_inet_address_new_from_string', --- -GitLab - diff --git a/glib-2.86.2.tar.xz b/glib-2.86.3.tar.xz similarity index 32% rename from glib-2.86.2.tar.xz rename to glib-2.86.3.tar.xz index 1af3b4ef27a5992d649a04eaf596a29ac41fcbee..16da018bd766ca7643963c7005a539e6b851c6ae 100644 --- a/glib-2.86.2.tar.xz +++ b/glib-2.86.3.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8a724e970855357ea8101e27727202392a0ffd5410a98336aed54ec59113e611 -size 5673792 +oid sha256:b3211d8d34b9df5dca05787ef0ad5d7ca75dec998b970e1aab0001d229977c65 +size 5674820 diff --git a/glib2.spec b/glib2.spec index 3fcb42e0658bcab0d17d0602b4eb2736e8431652..1cb1e598659dc65ee0e45886bd80f1682d3328b0 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,8 +1,8 @@ %bcond_without introspection Name: glib2 -Version: 2.86.2 -Release: 2 +Version: 2.86.3 +Release: 1 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPL-2.1-or-later URL: https://www.gtk.org @@ -11,7 +11,6 @@ Source0: https://download.gnome.org/sources/glib/%{version_major_minor}/g Patch1: gspawn-eperm.patch Patch3: gio-fix-filesystem-type-ext-err.patch Patch4: Correct-translation-information.patch -Patch6001: backport-CVE-2025-13601.patch BuildRequires: gcc gettext BuildRequires: meson >= 1.4.0 @@ -233,6 +232,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_docdir}/g*-2.0 %changelog +* Tue Dec 09 2025 Funda Wang - 2.86.3-1 +- update to 2.86.3 + * Sat Nov 29 2025 Funda Wang - 2.86.2-2 - fix CVE-2025-13601