glib-2.0: patch CVE-2025-13601

Pick commits from [1] per [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-13601 (From OE-Core rev: eb0e4e0fce9378100e4482fc91d6886d84ef7ec2) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-12-31 10:55:42 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:49:25 +0000
commit: 0092f97678b3e36d408df37abf1ecdfad60ac1c8 (patch)
tree: ff9886c795613d300b996f5a46f9e6d7b7fdd86e
parent: 0736fb2025a2b9cf0796420e82a7ef206b137705 (diff)
download: poky-0092f97678b3e36d408df37abf1ecdfad60ac1c8.tar.gz
3 files changed, 255 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
new file mode 100644
index 0000000000..7046d2405e
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
@@ -0,0 +1,125 @@
+From f28340ee62c655487972ad3c632d231ee098fb7f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:27:22 +0000
+Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
+If the string to escape contains a very large number of unacceptable
+characters (which would need escaping), the calculation of the length of
+the escaped string could overflow, leading to a potential write off the
+end of the newly allocated string.
+In addition to that, the number of unacceptable characters was counted
+in a signed integer, which would overflow to become negative, making it
+easier for an attacker to craft an input string which would cause an
+out-of-bounds write.
+Fix that by validating the allocation length, and using an unsigned
+integer to count the number of unacceptable characters.
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3827
+CVE: CVE-2025-13601
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/f28340ee62c655487972ad3c632d231ee098fb7f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gconvert.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+diff --git a/glib/gconvert.c b/glib/gconvert.c
+index b066dd5a8..a02d2ea73 100644
+--- a/glib/gconvert.c
+++ b/glib/gconvert.c
+@@ -1425,8 +1425,9 @@ static const gchar hex[] = "0123456789ABCDEF";
+ /* Note: This escape function works on file: URIs, but if you want to
+  * escape something else, please read RFC-2396 */
+ static gchar *
+-g_escape_uri_string (const gchar *string, 
+-                    UnsafeCharacterSet mask)
+g_escape_uri_string (const gchar         *string,
+                     UnsafeCharacterSet   mask,
+                     GError             **error)
+ {
+ #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
+ 
+@@ -1434,7 +1435,7 @@ g_escape_uri_string (const gchar *string,
+   gchar *q;
+   gchar *result;
+   int c;
+-  gint unacceptable;
+  size_t unacceptable;
+   UnsafeCharacterSet use_mask;
+   
+   g_return_val_if_fail (mask == UNSAFE_ALL
+@@ -1451,7 +1452,14 @@ g_escape_uri_string (const gchar *string,
+       if (!ACCEPTABLE (c)) 
+        unacceptable++;
+     }
+-  
+
+  if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
+    {
+      g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
+                           _("The URI is too long"));
+      return NULL;
+    }
+
+   result = g_malloc (p - string + unacceptable * 2 + 1);
+   
+   use_mask = mask;
+@@ -1476,12 +1484,13 @@ g_escape_uri_string (const gchar *string,
+ 
+ 
+ static gchar *
+-g_escape_file_uri (const gchar *hostname,
+-                  const gchar *pathname)
+g_escape_file_uri (const gchar  *hostname,
+                   const gchar  *pathname,
+                   GError      **error)
+ {
+   char *escaped_hostname = NULL;
+-  char *escaped_path;
+-  char *res;
+  char *escaped_path = NULL;
+  char *res = NULL;
+ 
+ #ifdef G_OS_WIN32
+   char *p, *backslash;
+@@ -1502,10 +1511,14 @@ g_escape_file_uri (const gchar *hostname,
+ 
+   if (hostname && *hostname != '\0')
+     {
+-      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
+      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
+      if (escaped_hostname == NULL)
+        goto out;
+     }
+ 
+-  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
+  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
+  if (escaped_path == NULL)
+    goto out;
+ 
+   res = g_strconcat ("file://",
+                     (escaped_hostname) ? escaped_hostname : "",
+@@ -1513,6 +1526,7 @@ g_escape_file_uri (const gchar *hostname,
+                     escaped_path,
+                     NULL);
+ 
+out:
+ #ifdef G_OS_WIN32
+   g_free ((char *) pathname);
+ #endif
+@@ -1832,7 +1846,7 @@ g_filename_to_uri (const gchar *filename,
+     hostname = NULL;
+ #endif
+ 
+-  escaped_uri = g_escape_file_uri (hostname, filename);
+  escaped_uri = g_escape_file_uri (hostname, filename, error);
+ 
+   return escaped_uri;
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
new file mode 100644
index 0000000000..4be8d0d947
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
@@ -0,0 +1,128 @@
+From 7bd3fc372040cdf8eada7f65c32c30da52a7461d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:31:43 +0000
+Subject: [PATCH] fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
+These functions could be called on untrusted input data, and since they
+do URI escaping/unescaping, they have non-trivial string handling code.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+See: #3827
+CVE: CVE-2025-13601
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/7bd3fc372040cdf8eada7f65c32c30da52a7461d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fuzzing/fuzz_filename_from_uri.c | 40 ++++++++++++++++++++++++++++++++
+ fuzzing/fuzz_filename_to_uri.c   | 40 ++++++++++++++++++++++++++++++++
+ fuzzing/meson.build              |  2 ++
+ 3 files changed, 82 insertions(+)
+ create mode 100644 fuzzing/fuzz_filename_from_uri.c
+ create mode 100644 fuzzing/fuzz_filename_to_uri.c
+diff --git a/fuzzing/fuzz_filename_from_uri.c b/fuzzing/fuzz_filename_from_uri.c
+new file mode 100644
+index 000000000..9b7a715f0
+--- /dev/null
+++ b/fuzzing/fuzz_filename_from_uri.c
+@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  unsigned char *nul_terminated_data = NULL;
+  char *filename = NULL;
+  GError *local_error = NULL;
+
+  fuzz_set_logging_func ();
+
+  /* ignore @size (g_filename_from_uri() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+  filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error);
+  g_free (nul_terminated_data);
+
+  g_free (filename);
+  g_clear_error (&local_error);
+
+  return 0;
+}
+diff --git a/fuzzing/fuzz_filename_to_uri.c b/fuzzing/fuzz_filename_to_uri.c
+new file mode 100644
+index 000000000..acb319203
+--- /dev/null
+++ b/fuzzing/fuzz_filename_to_uri.c
+@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  unsigned char *nul_terminated_data = NULL;
+  char *uri = NULL;
+  GError *local_error = NULL;
+
+  fuzz_set_logging_func ();
+
+  /* ignore @size (g_filename_to_uri() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+  uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error);
+  g_free (nul_terminated_data);
+
+  g_free (uri);
+  g_clear_error (&local_error);
+
+  return 0;
+}
+diff --git a/fuzzing/meson.build b/fuzzing/meson.build
+index addbe9071..05f936eeb 100644
+--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
+@@ -4,6 +4,8 @@ fuzz_targets = [
+   'fuzz_date_parse',
+   'fuzz_date_time_new_from_iso8601',
+   'fuzz_dbus_message',
+  'fuzz_filename_from_uri',
+  'fuzz_filename_to_uri',
+   'fuzz_inet_address_mask_new_from_string',
+   'fuzz_inet_address_new_from_string',
+   'fuzz_inet_socket_address_new_from_string',
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 7ba52b5c79..1c4c21614a 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -64,6 +64,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://CVE-2025-4373-02.patch \
           file://CVE-2025-7039-01.patch \
           file://CVE-2025-7039-02.patch \
+           file://CVE-2025-13601-01.patch \
+           file://CVE-2025-13601-02.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch"
author	Peter Marko <peter.marko@siemens.com>	2025-12-31 10:55:42 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:49:25 +0000
commit	0092f97678b3e36d408df37abf1ecdfad60ac1c8 (patch)
tree	ff9886c795613d300b996f5a46f9e6d7b7fdd86e
parent	0736fb2025a2b9cf0796420e82a7ef206b137705 (diff)
download	poky-0092f97678b3e36d408df37abf1ecdfad60ac1c8.tar.gz

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch new file mode 100644 index 0000000000..7046d2405e --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
@@ -0,0 +1,125 @@
		1	From f28340ee62c655487972ad3c632d231ee098fb7f Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Thu, 13 Nov 2025 18:27:22 +0000
		4	Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
		5
		6	If the string to escape contains a very large number of unacceptable
		7	characters (which would need escaping), the calculation of the length of
		8	the escaped string could overflow, leading to a potential write off the
		9	end of the newly allocated string.
		10
		11	In addition to that, the number of unacceptable characters was counted
		12	in a signed integer, which would overflow to become negative, making it
		13	easier for an attacker to craft an input string which would cause an
		14	out-of-bounds write.
		15
		16	Fix that by validating the allocation length, and using an unsigned
		17	integer to count the number of unacceptable characters.
		18
		19	Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
		20	from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
		21
		22	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		23
		24	Fixes: #3827
		25
		26	CVE: CVE-2025-13601
		27	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/f28340ee62c655487972ad3c632d231ee098fb7f]
		28	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		29	---
		30	glib/gconvert.c \| 36 +++++++++++++++++++++++++-----------
		31	1 file changed, 25 insertions(+), 11 deletions(-)
		32
		33	diff --git a/glib/gconvert.c b/glib/gconvert.c
		34	index b066dd5a8..a02d2ea73 100644
		35	--- a/glib/gconvert.c
		36	+++ b/glib/gconvert.c
		37	@@ -1425,8 +1425,9 @@ static const gchar hex[] = "0123456789ABCDEF";
		38	/* Note: This escape function works on file: URIs, but if you want to
		39	* escape something else, please read RFC-2396 */
		40	static gchar *
		41	-g_escape_uri_string (const gchar *string,
		42	- UnsafeCharacterSet mask)
		43	+g_escape_uri_string (const gchar *string,
		44	+ UnsafeCharacterSet mask,
		45	+ GError **error)
		46	{
		47	#define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
		48
		49	@@ -1434,7 +1435,7 @@ g_escape_uri_string (const gchar *string,
		50	gchar *q;
		51	gchar *result;
		52	int c;
		53	- gint unacceptable;
		54	+ size_t unacceptable;
		55	UnsafeCharacterSet use_mask;
		56
		57	g_return_val_if_fail (mask == UNSAFE_ALL
		58	@@ -1451,7 +1452,14 @@ g_escape_uri_string (const gchar *string,
		59	if (!ACCEPTABLE (c))
		60	unacceptable++;
		61	}
		62	-
		63	+
		64	+ if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
		65	+ {
		66	+ g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
		67	+ _("The URI is too long"));
		68	+ return NULL;
		69	+ }
		70	+
		71	result = g_malloc (p - string + unacceptable * 2 + 1);
		72
		73	use_mask = mask;
		74	@@ -1476,12 +1484,13 @@ g_escape_uri_string (const gchar *string,
		75
		76
		77	static gchar *
		78	-g_escape_file_uri (const gchar *hostname,
		79	- const gchar *pathname)
		80	+g_escape_file_uri (const gchar *hostname,
		81	+ const gchar *pathname,
		82	+ GError **error)
		83	{
		84	char *escaped_hostname = NULL;
		85	- char *escaped_path;
		86	- char *res;
		87	+ char *escaped_path = NULL;
		88	+ char *res = NULL;
		89
		90	#ifdef G_OS_WIN32
		91	char p, backslash;
		92	@@ -1502,10 +1511,14 @@ g_escape_file_uri (const gchar *hostname,
		93
		94	if (hostname && *hostname != '\0')
		95	{
		96	- escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
		97	+ escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
		98	+ if (escaped_hostname == NULL)
		99	+ goto out;
		100	}
		101
		102	- escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
		103	+ escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
		104	+ if (escaped_path == NULL)
		105	+ goto out;
		106
		107	res = g_strconcat ("file://",
		108	(escaped_hostname) ? escaped_hostname : "",
		109	@@ -1513,6 +1526,7 @@ g_escape_file_uri (const gchar *hostname,
		110	escaped_path,
		111	NULL);
		112
		113	+out:
		114	#ifdef G_OS_WIN32
		115	g_free ((char *) pathname);
		116	#endif
		117	@@ -1832,7 +1846,7 @@ g_filename_to_uri (const gchar *filename,
		118	hostname = NULL;
		119	#endif
		120
		121	- escaped_uri = g_escape_file_uri (hostname, filename);
		122	+ escaped_uri = g_escape_file_uri (hostname, filename, error);
		123
		124	return escaped_uri;
		125	}


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch new file mode 100644 index 0000000000..4be8d0d947 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
@@ -0,0 +1,128 @@
		1	From 7bd3fc372040cdf8eada7f65c32c30da52a7461d Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Thu, 13 Nov 2025 18:31:43 +0000
		4	Subject: [PATCH] fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
		5
		6	These functions could be called on untrusted input data, and since they
		7	do URI escaping/unescaping, they have non-trivial string handling code.
		8
		9	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		10
		11	See: #3827
		12
		13	CVE: CVE-2025-13601
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/7bd3fc372040cdf8eada7f65c32c30da52a7461d]
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	---
		17	fuzzing/fuzz_filename_from_uri.c \| 40 ++++++++++++++++++++++++++++++++
		18	fuzzing/fuzz_filename_to_uri.c \| 40 ++++++++++++++++++++++++++++++++
		19	fuzzing/meson.build \| 2 ++
		20	3 files changed, 82 insertions(+)
		21	create mode 100644 fuzzing/fuzz_filename_from_uri.c
		22	create mode 100644 fuzzing/fuzz_filename_to_uri.c
		23
		24	diff --git a/fuzzing/fuzz_filename_from_uri.c b/fuzzing/fuzz_filename_from_uri.c
		25	new file mode 100644
		26	index 000000000..9b7a715f0
		27	--- /dev/null
		28	+++ b/fuzzing/fuzz_filename_from_uri.c
		29	@@ -0,0 +1,40 @@
		30	+/*
		31	+ * Copyright 2025 GNOME Foundation, Inc.
		32	+ *
		33	+ * SPDX-License-Identifier: LGPL-2.1-or-later
		34	+ *
		35	+ * This library is free software; you can redistribute it and/or
		36	+ * modify it under the terms of the GNU Lesser General Public
		37	+ * License as published by the Free Software Foundation; either
		38	+ * version 2.1 of the License, or (at your option) any later version.
		39	+ *
		40	+ * This library is distributed in the hope that it will be useful,
		41	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
		42	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		43	+ * Lesser General Public License for more details.
		44	+ *
		45	+ * You should have received a copy of the GNU Lesser General Public
		46	+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
		47	+ */
		48	+
		49	+#include "fuzz.h"
		50	+
		51	+int
		52	+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
		53	+{
		54	+ unsigned char *nul_terminated_data = NULL;
		55	+ char *filename = NULL;
		56	+ GError *local_error = NULL;
		57	+
		58	+ fuzz_set_logging_func ();
		59	+
		60	+ /* ignore @size (g_filename_from_uri() doesn’t support it); ensure @data is nul-terminated */
		61	+ nul_terminated_data = (unsigned char ) g_strndup ((const char ) data, size);
		62	+ filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error);
		63	+ g_free (nul_terminated_data);
		64	+
		65	+ g_free (filename);
		66	+ g_clear_error (&local_error);
		67	+
		68	+ return 0;
		69	+}
		70	diff --git a/fuzzing/fuzz_filename_to_uri.c b/fuzzing/fuzz_filename_to_uri.c
		71	new file mode 100644
		72	index 000000000..acb319203
		73	--- /dev/null
		74	+++ b/fuzzing/fuzz_filename_to_uri.c
		75	@@ -0,0 +1,40 @@
		76	+/*
		77	+ * Copyright 2025 GNOME Foundation, Inc.
		78	+ *
		79	+ * SPDX-License-Identifier: LGPL-2.1-or-later
		80	+ *
		81	+ * This library is free software; you can redistribute it and/or
		82	+ * modify it under the terms of the GNU Lesser General Public
		83	+ * License as published by the Free Software Foundation; either
		84	+ * version 2.1 of the License, or (at your option) any later version.
		85	+ *
		86	+ * This library is distributed in the hope that it will be useful,
		87	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
		88	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		89	+ * Lesser General Public License for more details.
		90	+ *
		91	+ * You should have received a copy of the GNU Lesser General Public
		92	+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
		93	+ */
		94	+
		95	+#include "fuzz.h"
		96	+
		97	+int
		98	+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
		99	+{
		100	+ unsigned char *nul_terminated_data = NULL;
		101	+ char *uri = NULL;
		102	+ GError *local_error = NULL;
		103	+
		104	+ fuzz_set_logging_func ();
		105	+
		106	+ /* ignore @size (g_filename_to_uri() doesn’t support it); ensure @data is nul-terminated */
		107	+ nul_terminated_data = (unsigned char ) g_strndup ((const char ) data, size);
		108	+ uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error);
		109	+ g_free (nul_terminated_data);
		110	+
		111	+ g_free (uri);
		112	+ g_clear_error (&local_error);
		113	+
		114	+ return 0;
		115	+}
		116	diff --git a/fuzzing/meson.build b/fuzzing/meson.build
		117	index addbe9071..05f936eeb 100644
		118	--- a/fuzzing/meson.build
		119	+++ b/fuzzing/meson.build
		120	@@ -4,6 +4,8 @@ fuzz_targets = [
		121	'fuzz_date_parse',
		122	'fuzz_date_time_new_from_iso8601',
		123	'fuzz_dbus_message',
		124	+ 'fuzz_filename_from_uri',
		125	+ 'fuzz_filename_to_uri',
		126	'fuzz_inet_address_mask_new_from_string',
		127	'fuzz_inet_address_new_from_string',
		128	'fuzz_inet_socket_address_new_from_string',


diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index 7ba52b5c79..1c4c21614a 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -64,6 +64,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
64	file://CVE-2025-4373-02.patch \	64	file://CVE-2025-4373-02.patch \
65	file://CVE-2025-7039-01.patch \	65	file://CVE-2025-7039-01.patch \
66	file://CVE-2025-7039-02.patch \	66	file://CVE-2025-7039-02.patch \
		67	file://CVE-2025-13601-01.patch \
		68	file://CVE-2025-13601-02.patch \
67	"	69	"
68	SRC_URI:append:class-native = " file://relocate-modules.patch"	70	SRC_URI:append:class-native = " file://relocate-modules.patch"
69		71