glib-2.0: patch CVE-2025-3360

Backport commits from [1] fixing [2] for 2.82.x. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499 [2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647x (From OE-Core rev: 606cc539ab19ae2bceb366eda7d4872c3763400f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-04-27 20:30:01 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-05-02 08:12:41 -0700
commit: 04861f8c29dba7bbe9986c543ff31f22165f67f4 (patch)
tree: ebb59e55ae7e4bfca230fb0579c6f47253b8eba8
parent: 4c33a6acfbd7cf83b1bcf144be331b9bc7143953 (diff)
download: poky-04861f8c29dba7bbe9986c543ff31f22165f67f4.tar.gz
7 files changed, 335 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
new file mode 100644
index 0000000000..91ea6c3748
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
@@ -0,0 +1,57 @@
+From fe6af80931c35fafc6a2cd0651b6de052d1bffae Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:44:58 +0000
+Subject: [PATCH 1/6] gdatetime: Fix integer overflow when parsing very long
+ ISO8601 inputs
+This will only happen with invalid (or maliciously invalid) potential
+ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust
+against that.
+Prevent `length` overflowing by correctly defining it as a `size_t`.
+Similarly for `date_length`, but additionally track its validity in a
+boolean rather than as its sign.
+Spotted by chamalsl as #YWH-PGM9867-43.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/fe6af80931c35fafc6a2cd0651b6de052d1bffae]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index ad9c190b6..b33db2c20 100644
+--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
+@@ -1493,7 +1493,8 @@ parse_iso8601_time (const gchar *text, gsize length,
+ GDateTime *
+ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ {
+-  gint length, date_length = -1;
+  size_t length, date_length = 0;
+  gboolean date_length_set = FALSE;
+   gint hour = 0, minute = 0;
+   gdouble seconds = 0.0;
+   GTimeZone *tz = NULL;
+@@ -1504,11 +1505,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+   /* Count length of string and find date / time separator ('T', 't', or ' ') */
+   for (length = 0; text[length] != '\0'; length++)
+     {
+-      if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
+-        date_length = length;
+      if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
+        {
+          date_length = length;
+          date_length_set = TRUE;
+        }
+     }
+ 
+-  if (date_length < 0)
+  if (!date_length_set)
+     return NULL;
+ 
+   if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
new file mode 100644
index 0000000000..ca5ae2866c
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
@@ -0,0 +1,53 @@
+From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:51:36 +0000
+Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone
+ offset handling
+This one is much harder to trigger than the one in the previous commit,
+but mixing `gssize` and `gsize` always runs the risk of the former
+overflowing for very (very very) long input strings.
+Avoid that possibility by not using the sign of the `tz_offset` to
+indicate its validity, and instead using the return value of the
+function.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/495c85278f9638fdf3ebf002c759e1bdccebaf2f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index b33db2c20..792c2ed15 100644
+--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
+@@ -1342,8 +1342,10 @@ parse_iso8601_date (const gchar *text, gsize length,
+     return FALSE;
+ }
+ 
+/* Value returned in tz_offset is valid if and only if the function return value
+ * is non-NULL. */
+ static GTimeZone *
+-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
+parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+   gint i, tz_length, offset_hours, offset_minutes;
+   gint offset_sign = 1;
+@@ -1411,11 +1413,11 @@ static gboolean
+ parse_iso8601_time (const gchar *text, gsize length,
+                     gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz)
+ {
+-  gssize tz_offset = -1;
+  size_t tz_offset = 0;
+ 
+   /* Check for timezone suffix */
+   *tz = parse_iso8601_timezone (text, length, &tz_offset);
+-  if (tz_offset >= 0)
+  if (*tz != NULL)
+     length = tz_offset;
+ 
+   /* hh:mm:ss(.sss) */
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
new file mode 100644
index 0000000000..25eb0c6fdd
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
@@ -0,0 +1,36 @@
+From 5e8a3c19fcad2936dc5e070cf0767a5c5af907c5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:55:18 +0000
+Subject: [PATCH 3/6] gdatetime: Track timezone length as an unsigned size_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+It’s guaranteed to be in (0, length] by the calculations above.
+This avoids the possibility of integer overflow through `gssize` not
+being as big as `size_t`.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/5e8a3c19fcad2936dc5e070cf0767a5c5af907c5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 792c2ed15..6335bcbe2 100644
+--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
+@@ -1347,7 +1347,8 @@ parse_iso8601_date (const gchar *text, gsize length,
+ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+-  gint i, tz_length, offset_hours, offset_minutes;
+  size_t tz_length;
+  gint i, offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
+ 
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
new file mode 100644
index 0000000000..e62604d600
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
@@ -0,0 +1,76 @@
+From 804a3957720449dcfac601da96bd5f5db2b71ef1 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:07:24 +0000
+Subject: [PATCH 4/6] gdatetime: Factor out some string pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Makes the following code a little clearer, but doesn’t introduce any
+functional changes.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/804a3957720449dcfac601da96bd5f5db2b71ef1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 6335bcbe2..de5dd7af0 100644
+--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
+@@ -1351,6 +1351,7 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+   gint i, offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
+  const char *tz_start;
+ 
+   /* UTC uses Z suffix  */
+   if (length > 0 && text[length - 1] == 'Z')
+@@ -1368,34 +1369,35 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+       }
+   if (i < 0)
+     return NULL;
+  tz_start = text + i;
+   tz_length = length - i;
+ 
+   /* +hh:mm or -hh:mm */
+-  if (tz_length == 6 && text[i+3] == ':')
+  if (tz_length == 6 && tz_start[3] == ':')
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+-          !get_iso8601_int (text + i + 4, 2, &offset_minutes))
+      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
+          !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
+         return NULL;
+     }
+   /* +hhmm or -hhmm */
+   else if (tz_length == 5)
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+-          !get_iso8601_int (text + i + 3, 2, &offset_minutes))
+      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
+          !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
+         return NULL;
+     }
+   /* +hh or -hh */
+   else if (tz_length == 3)
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
+      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
+         return NULL;
+       offset_minutes = 0;
+     }
+   else
+     return NULL;
+ 
+-  *tz_offset = i;
+-  tz = g_time_zone_new_identifier (text + i);
+  *tz_offset = tz_start - text;
+  tz = g_time_zone_new_identifier (tz_start);
+ 
+   /* Double-check that the GTimeZone matches our interpretation of the timezone.
+    * This can fail because our interpretation is less strict than (for example)
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
new file mode 100644
index 0000000000..4d633aaba0
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
@@ -0,0 +1,57 @@
+From 4c56ff80344e0d8796eb2307091f7b24ec198aa9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:28:33 +0000
+Subject: [PATCH 5/6] gdatetime: Factor out an undersized variable
+For long input strings, it would have been possible for `i` to overflow.
+Avoid that problem by using the `tz_length` instead, so that we count up
+rather than down.
+This commit introduces no functional changes (outside of changing
+undefined behaviour), and can be verified using the identity
+`i === length - tz_length`.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/4c56ff80344e0d8796eb2307091f7b24ec198aa9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index de5dd7af0..2f8c864a1 100644
+--- a/glib/gdatetime.c
+++ b/glib/gdatetime.c
+@@ -1348,7 +1348,7 @@ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+   size_t tz_length;
+-  gint i, offset_hours, offset_minutes;
+  gint offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
+   const char *tz_start;
+@@ -1361,16 +1361,15 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+     }
+ 
+   /* Look for '+' or '-' of offset */
+-  for (i = length - 1; i >= 0; i--)
+-    if (text[i] == '+' || text[i] == '-')
+  for (tz_length = 1; tz_length <= length; tz_length++)
+    if (text[length - tz_length] == '+' || text[length - tz_length] == '-')
+       {
+-        offset_sign = text[i] == '-' ? -1 : 1;
+        offset_sign = text[length - tz_length] == '-' ? -1 : 1;
+         break;
+       }
+-  if (i < 0)
+  if (tz_length > length)
+     return NULL;
+-  tz_start = text + i;
+-  tz_length = length - i;
+  tz_start = text + length - tz_length;
+ 
+   /* +hh:mm or -hh:mm */
+   if (tz_length == 6 && tz_start[3] == ':')
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
new file mode 100644
index 0000000000..2452b69e2e
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
@@ -0,0 +1,50 @@
+From 7f6d81130ec05406a8820bc753ed03859e88daea Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 18:20:56 +0000
+Subject: [PATCH 6/6] tests: Add some missing GDateTime ISO8601 parsing tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This improves test coverage, adding coverage for some lines which I
+spotted were not covered while testing the preceding commits.
+It doesn’t directly test the preceding commits, though.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/7f6d81130ec05406a8820bc753ed03859e88daea]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/tests/gdatetime.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
+index 9e1acd097..94dd028a3 100644
+--- a/glib/tests/gdatetime.c
+++ b/glib/tests/gdatetime.c
+@@ -857,6 +857,23 @@ test_GDateTime_new_from_iso8601 (void)
+    * NaN */
+   dt = g_date_time_new_from_iso8601 ("0005306 000001,666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666600080000-00", NULL);
+   g_assert_null (dt);
+
+  /* Various invalid timezone offsets which look like they could be in
+   * `+hh:mm`, `-hh:mm`, `+hhmm`, `-hhmm`, `+hh` or `-hh` format */
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01:xx", NULL);
+  g_assert_null (dt);
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:00", NULL);
+  g_assert_null (dt);
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:xx", NULL);
+  g_assert_null (dt);
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01xx", NULL);
+  g_assert_null (dt);
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx00", NULL);
+  g_assert_null (dt);
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xxxx", NULL);
+  g_assert_null (dt);
+  dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx", NULL);
+  g_assert_null (dt);
+ }
+ 
+ typedef struct {
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index b8c75eaa49..cebd84dd50 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -54,6 +54,12 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://gdatetime-test-fail-0001.patch \
           file://gdatetime-test-fail-0002.patch \
           file://gdatetime-test-fail-0003.patch \
+           file://CVE-2025-3360-01.patch \
+           file://CVE-2025-3360-02.patch \
+           file://CVE-2025-3360-03.patch \
+           file://CVE-2025-3360-04.patch \
+           file://CVE-2025-3360-05.patch \
+           file://CVE-2025-3360-06.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch"
author	Peter Marko <peter.marko@siemens.com>	2025-04-27 20:30:01 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-05-02 08:12:41 -0700
commit	04861f8c29dba7bbe9986c543ff31f22165f67f4 (patch)
tree	ebb59e55ae7e4bfca230fb0579c6f47253b8eba8
parent	4c33a6acfbd7cf83b1bcf144be331b9bc7143953 (diff)
download	poky-04861f8c29dba7bbe9986c543ff31f22165f67f4.tar.gz

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch new file mode 100644 index 0000000000..91ea6c3748 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
@@ -0,0 +1,57 @@
		1	From fe6af80931c35fafc6a2cd0651b6de052d1bffae Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 18 Feb 2025 16:44:58 +0000
		4	Subject: [PATCH 1/6] gdatetime: Fix integer overflow when parsing very long
		5	ISO8601 inputs
		6
		7	This will only happen with invalid (or maliciously invalid) potential
		8	ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust
		9	against that.
		10
		11	Prevent `length` overflowing by correctly defining it as a `size_t`.
		12	Similarly for `date_length`, but additionally track its validity in a
		13	boolean rather than as its sign.
		14
		15	Spotted by chamalsl as #YWH-PGM9867-43.
		16
		17	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		18
		19	CVE: CVE-2025-3360
		20	Upstream-Status: Backport [https://github.com/GNOME/glib/commit/fe6af80931c35fafc6a2cd0651b6de052d1bffae]
		21	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		22	---
		23	glib/gdatetime.c \| 12 ++++++++----
		24	1 file changed, 8 insertions(+), 4 deletions(-)
		25
		26	diff --git a/glib/gdatetime.c b/glib/gdatetime.c
		27	index ad9c190b6..b33db2c20 100644
		28	--- a/glib/gdatetime.c
		29	+++ b/glib/gdatetime.c
		30	@@ -1493,7 +1493,8 @@ parse_iso8601_time (const gchar *text, gsize length,
		31	GDateTime *
		32	g_date_time_new_from_iso8601 (const gchar text, GTimeZone default_tz)
		33	{
		34	- gint length, date_length = -1;
		35	+ size_t length, date_length = 0;
		36	+ gboolean date_length_set = FALSE;
		37	gint hour = 0, minute = 0;
		38	gdouble seconds = 0.0;
		39	GTimeZone *tz = NULL;
		40	@@ -1504,11 +1505,14 @@ g_date_time_new_from_iso8601 (const gchar text, GTimeZone default_tz)
		41	/* Count length of string and find date / time separator ('T', 't', or ' ') */
		42	for (length = 0; text[length] != '\0'; length++)
		43	{
		44	- if (date_length < 0 && (text[length] == 'T' \|\| text[length] == 't' \|\| text[length] == ' '))
		45	- date_length = length;
		46	+ if (!date_length_set && (text[length] == 'T' \|\| text[length] == 't' \|\| text[length] == ' '))
		47	+ {
		48	+ date_length = length;
		49	+ date_length_set = TRUE;
		50	+ }
		51	}
		52
		53	- if (date_length < 0)
		54	+ if (!date_length_set)
		55	return NULL;
		56
		57	if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch new file mode 100644 index 0000000000..ca5ae2866c --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
@@ -0,0 +1,53 @@
		1	From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 18 Feb 2025 16:51:36 +0000
		4	Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone
		5	offset handling
		6
		7	This one is much harder to trigger than the one in the previous commit,
		8	but mixing `gssize` and `gsize` always runs the risk of the former
		9	overflowing for very (very very) long input strings.
		10
		11	Avoid that possibility by not using the sign of the `tz_offset` to
		12	indicate its validity, and instead using the return value of the
		13	function.
		14
		15	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		16
		17	CVE: CVE-2025-3360
		18	Upstream-Status: Backport [https://github.com/GNOME/glib/commit/495c85278f9638fdf3ebf002c759e1bdccebaf2f]
		19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		20	---
		21	glib/gdatetime.c \| 8 +++++---
		22	1 file changed, 5 insertions(+), 3 deletions(-)
		23
		24	diff --git a/glib/gdatetime.c b/glib/gdatetime.c
		25	index b33db2c20..792c2ed15 100644
		26	--- a/glib/gdatetime.c
		27	+++ b/glib/gdatetime.c
		28	@@ -1342,8 +1342,10 @@ parse_iso8601_date (const gchar *text, gsize length,
		29	return FALSE;
		30	}
		31
		32	+/* Value returned in tz_offset is valid if and only if the function return value
		33	+ * is non-NULL. */
		34	static GTimeZone *
		35	-parse_iso8601_timezone (const gchar text, gsize length, gssize tz_offset)
		36	+parse_iso8601_timezone (const gchar text, gsize length, size_t tz_offset)
		37	{
		38	gint i, tz_length, offset_hours, offset_minutes;
		39	gint offset_sign = 1;
		40	@@ -1411,11 +1413,11 @@ static gboolean
		41	parse_iso8601_time (const gchar *text, gsize length,
		42	gint hour, gint minute, gdouble seconds, GTimeZone *tz)
		43	{
		44	- gssize tz_offset = -1;
		45	+ size_t tz_offset = 0;
		46
		47	/* Check for timezone suffix */
		48	*tz = parse_iso8601_timezone (text, length, &tz_offset);
		49	- if (tz_offset >= 0)
		50	+ if (*tz != NULL)
		51	length = tz_offset;
		52
		53	/* hh:mm:ss(.sss) */


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch new file mode 100644 index 0000000000..25eb0c6fdd --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
@@ -0,0 +1,36 @@
		1	From 5e8a3c19fcad2936dc5e070cf0767a5c5af907c5 Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 18 Feb 2025 16:55:18 +0000
		4	Subject: [PATCH 3/6] gdatetime: Track timezone length as an unsigned size_t
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	It’s guaranteed to be in (0, length] by the calculations above.
		10
		11	This avoids the possibility of integer overflow through `gssize` not
		12	being as big as `size_t`.
		13
		14	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		15
		16	CVE: CVE-2025-3360
		17	Upstream-Status: Backport [https://github.com/GNOME/glib/commit/5e8a3c19fcad2936dc5e070cf0767a5c5af907c5]
		18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		19	---
		20	glib/gdatetime.c \| 3 ++-
		21	1 file changed, 2 insertions(+), 1 deletion(-)
		22
		23	diff --git a/glib/gdatetime.c b/glib/gdatetime.c
		24	index 792c2ed15..6335bcbe2 100644
		25	--- a/glib/gdatetime.c
		26	+++ b/glib/gdatetime.c
		27	@@ -1347,7 +1347,8 @@ parse_iso8601_date (const gchar *text, gsize length,
		28	static GTimeZone *
		29	parse_iso8601_timezone (const gchar text, gsize length, size_t tz_offset)
		30	{
		31	- gint i, tz_length, offset_hours, offset_minutes;
		32	+ size_t tz_length;
		33	+ gint i, offset_hours, offset_minutes;
		34	gint offset_sign = 1;
		35	GTimeZone *tz;
		36


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch new file mode 100644 index 0000000000..e62604d600 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
@@ -0,0 +1,76 @@
		1	From 804a3957720449dcfac601da96bd5f5db2b71ef1 Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 18 Feb 2025 17:07:24 +0000
		4	Subject: [PATCH 4/6] gdatetime: Factor out some string pointer arithmetic
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Makes the following code a little clearer, but doesn’t introduce any
		10	functional changes.
		11
		12	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		13
		14	CVE: CVE-2025-3360
		15	Upstream-Status: Backport [https://github.com/GNOME/glib/commit/804a3957720449dcfac601da96bd5f5db2b71ef1]
		16	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		17	---
		18	glib/gdatetime.c \| 18 ++++++++++--------
		19	1 file changed, 10 insertions(+), 8 deletions(-)
		20
		21	diff --git a/glib/gdatetime.c b/glib/gdatetime.c
		22	index 6335bcbe2..de5dd7af0 100644
		23	--- a/glib/gdatetime.c
		24	+++ b/glib/gdatetime.c
		25	@@ -1351,6 +1351,7 @@ parse_iso8601_timezone (const gchar text, gsize length, size_t tz_offset)
		26	gint i, offset_hours, offset_minutes;
		27	gint offset_sign = 1;
		28	GTimeZone *tz;
		29	+ const char *tz_start;
		30
		31	/* UTC uses Z suffix */
		32	if (length > 0 && text[length - 1] == 'Z')
		33	@@ -1368,34 +1369,35 @@ parse_iso8601_timezone (const gchar text, gsize length, size_t tz_offset)
		34	}
		35	if (i < 0)
		36	return NULL;
		37	+ tz_start = text + i;
		38	tz_length = length - i;
		39
		40	/* +hh:mm or -hh:mm */
		41	- if (tz_length == 6 && text[i+3] == ':')
		42	+ if (tz_length == 6 && tz_start[3] == ':')
		43	{
		44	- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) \|\|
		45	- !get_iso8601_int (text + i + 4, 2, &offset_minutes))
		46	+ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) \|\|
		47	+ !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
		48	return NULL;
		49	}
		50	/* +hhmm or -hhmm */
		51	else if (tz_length == 5)
		52	{
		53	- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) \|\|
		54	- !get_iso8601_int (text + i + 3, 2, &offset_minutes))
		55	+ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) \|\|
		56	+ !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
		57	return NULL;
		58	}
		59	/* +hh or -hh */
		60	else if (tz_length == 3)
		61	{
		62	- if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
		63	+ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
		64	return NULL;
		65	offset_minutes = 0;
		66	}
		67	else
		68	return NULL;
		69
		70	- *tz_offset = i;
		71	- tz = g_time_zone_new_identifier (text + i);
		72	+ *tz_offset = tz_start - text;
		73	+ tz = g_time_zone_new_identifier (tz_start);
		74
		75	/* Double-check that the GTimeZone matches our interpretation of the timezone.
		76	* This can fail because our interpretation is less strict than (for example)


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch new file mode 100644 index 0000000000..4d633aaba0 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
@@ -0,0 +1,57 @@
		1	From 4c56ff80344e0d8796eb2307091f7b24ec198aa9 Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 18 Feb 2025 17:28:33 +0000
		4	Subject: [PATCH 5/6] gdatetime: Factor out an undersized variable
		5
		6	For long input strings, it would have been possible for `i` to overflow.
		7	Avoid that problem by using the `tz_length` instead, so that we count up
		8	rather than down.
		9
		10	This commit introduces no functional changes (outside of changing
		11	undefined behaviour), and can be verified using the identity
		12	`i === length - tz_length`.
		13
		14	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		15
		16	CVE: CVE-2025-3360
		17	Upstream-Status: Backport [https://github.com/GNOME/glib/commit/4c56ff80344e0d8796eb2307091f7b24ec198aa9]
		18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		19	---
		20	glib/gdatetime.c \| 13 ++++++-------
		21	1 file changed, 6 insertions(+), 7 deletions(-)
		22
		23	diff --git a/glib/gdatetime.c b/glib/gdatetime.c
		24	index de5dd7af0..2f8c864a1 100644
		25	--- a/glib/gdatetime.c
		26	+++ b/glib/gdatetime.c
		27	@@ -1348,7 +1348,7 @@ static GTimeZone *
		28	parse_iso8601_timezone (const gchar text, gsize length, size_t tz_offset)
		29	{
		30	size_t tz_length;
		31	- gint i, offset_hours, offset_minutes;
		32	+ gint offset_hours, offset_minutes;
		33	gint offset_sign = 1;
		34	GTimeZone *tz;
		35	const char *tz_start;
		36	@@ -1361,16 +1361,15 @@ parse_iso8601_timezone (const gchar text, gsize length, size_t tz_offset)
		37	}
		38
		39	/* Look for '+' or '-' of offset */
		40	- for (i = length - 1; i >= 0; i--)
		41	- if (text[i] == '+' \|\| text[i] == '-')
		42	+ for (tz_length = 1; tz_length <= length; tz_length++)
		43	+ if (text[length - tz_length] == '+' \|\| text[length - tz_length] == '-')
		44	{
		45	- offset_sign = text[i] == '-' ? -1 : 1;
		46	+ offset_sign = text[length - tz_length] == '-' ? -1 : 1;
		47	break;
		48	}
		49	- if (i < 0)
		50	+ if (tz_length > length)
		51	return NULL;
		52	- tz_start = text + i;
		53	- tz_length = length - i;
		54	+ tz_start = text + length - tz_length;
		55
		56	/* +hh:mm or -hh:mm */
		57	if (tz_length == 6 && tz_start[3] == ':')


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch new file mode 100644 index 0000000000..2452b69e2e --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
@@ -0,0 +1,50 @@
		1	From 7f6d81130ec05406a8820bc753ed03859e88daea Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 18 Feb 2025 18:20:56 +0000
		4	Subject: [PATCH 6/6] tests: Add some missing GDateTime ISO8601 parsing tests
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	This improves test coverage, adding coverage for some lines which I
		10	spotted were not covered while testing the preceding commits.
		11
		12	It doesn’t directly test the preceding commits, though.
		13
		14	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		15
		16	CVE: CVE-2025-3360
		17	Upstream-Status: Backport [https://github.com/GNOME/glib/commit/7f6d81130ec05406a8820bc753ed03859e88daea]
		18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		19	---
		20	glib/tests/gdatetime.c \| 17 +++++++++++++++++
		21	1 file changed, 17 insertions(+)
		22
		23	diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
		24	index 9e1acd097..94dd028a3 100644
		25	--- a/glib/tests/gdatetime.c
		26	+++ b/glib/tests/gdatetime.c
		27	@@ -857,6 +857,23 @@ test_GDateTime_new_from_iso8601 (void)
		28	* NaN */
		29	dt = g_date_time_new_from_iso8601 ("0005306 000001,666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666600080000-00", NULL);
		30	g_assert_null (dt);
		31	+
		32	+ /* Various invalid timezone offsets which look like they could be in
		33	+ * `+hh:mm`, `-hh:mm`, `+hhmm`, `-hhmm`, `+hh` or `-hh` format */
		34	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01:xx", NULL);
		35	+ g_assert_null (dt);
		36	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:00", NULL);
		37	+ g_assert_null (dt);
		38	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:xx", NULL);
		39	+ g_assert_null (dt);
		40	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01xx", NULL);
		41	+ g_assert_null (dt);
		42	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx00", NULL);
		43	+ g_assert_null (dt);
		44	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xxxx", NULL);
		45	+ g_assert_null (dt);
		46	+ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx", NULL);
		47	+ g_assert_null (dt);
		48	}
		49
		50	typedef struct {


diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index b8c75eaa49..cebd84dd50 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -54,6 +54,12 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
54	file://gdatetime-test-fail-0001.patch \	54	file://gdatetime-test-fail-0001.patch \
55	file://gdatetime-test-fail-0002.patch \	55	file://gdatetime-test-fail-0002.patch \
56	file://gdatetime-test-fail-0003.patch \	56	file://gdatetime-test-fail-0003.patch \
		57	file://CVE-2025-3360-01.patch \
		58	file://CVE-2025-3360-02.patch \
		59	file://CVE-2025-3360-03.patch \
		60	file://CVE-2025-3360-04.patch \
		61	file://CVE-2025-3360-05.patch \
		62	file://CVE-2025-3360-06.patch \
57	"	63	"
58	SRC_URI:append:class-native = " file://relocate-modules.patch"	64	SRC_URI:append:class-native = " file://relocate-modules.patch"
59		65