glib-2.0: patch CVE-2025-6052

Backport commits from [1] which references this CVE. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4681 (From OE-Core rev: a96c84cb861cb550ddcabd2396a74b00f0035ba4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-08-18 21:58:57 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-26 06:33:14 -0700
commit: c00fb3ce449d30ba497e44e6b70a8ff175d1284d (patch)
tree: 6d6f8d9592d180a1bf72c4a3be82bda885aee1c9
parent: d2cf21799c64d4465711669e1432cf729b1dcc57 (diff)
download: poky-c00fb3ce449d30ba497e44e6b70a8ff175d1284d.tar.gz
3 files changed, 135 insertions, 1 deletions
diff --git a/meta/recipes-core/glib-2.0/files/CVE-2025-6052-1.patch b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-1.patch
new file mode 100644
index 0000000000..a344735ee4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-1.patch
@@ -0,0 +1,97 @@
+From 6aa97beda32bb337370858862f4efe2f3372619f Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 7 Jul 2025 20:52:24 +0200
+Subject: [PATCH] gstring: Fix g_string_sized_new segmentation fault
+If glib is compiled with -Dglib_assert=false, i.e. no asserts
+enabled, then g_string_sized_new(G_MAXSIZE) leads to a segmentation
+fault due to an out of boundary write.
+This happens because the overflow check was moved into
+g_string_maybe_expand which is not called by g_string_sized_new.
+By assuming that string->allocated_len is always larger than
+string->len (and the code would be in huge trouble if that is not true),
+the G_UNLIKELY check in g_string_maybe_expand can be rephrased to
+avoid a potential G_MAXSIZE overflow.
+This in turn leads to 150-200 bytes smaller compiled library
+depending on gcc and clang versions, and one less check for the most
+common code paths.
+Reverts https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655 and
+reorders internal g_string_maybe_expand check to still fix
+CVE-2025-6052.
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6aa97beda32bb337370858862f4efe2f3372619f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.c      | 10 +++++-----
+ glib/tests/string.c | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+diff --git a/glib/gstring.c b/glib/gstring.c
+index 010a8e976..24c4bfb40 100644
+--- a/glib/gstring.c
+++ b/glib/gstring.c
+@@ -68,6 +68,10 @@ static void
+ g_string_expand (GString *string,
+                  gsize    len)
+ {
+  /* Detect potential overflow */
+  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+
+   string->allocated_len = g_nearest_pow (string->len + len + 1);
+   /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
+    * memory for this string and don't over-allocate.
+@@ -82,11 +86,7 @@ static inline void
+ g_string_maybe_expand (GString *string,
+                        gsize    len)
+ {
+-  /* Detect potential overflow */
+-  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+-    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+-
+-  if (G_UNLIKELY (string->len + len >= string->allocated_len))
+  if (G_UNLIKELY (len >= string->allocated_len - string->len))
+     g_string_expand (string, len);
+ }
+ 
+diff --git a/glib/tests/string.c b/glib/tests/string.c
+index aa363c57a..e3bc4a02e 100644
+--- a/glib/tests/string.c
+++ b/glib/tests/string.c
+@@ -767,6 +767,23 @@ test_string_new_take_null (void)
+   g_string_free (g_steal_pointer (&string), TRUE);
+ }
+ 
+static void
+test_string_sized_new (void)
+{
+
+  if (g_test_subprocess ())
+    {
+      GString *string = g_string_sized_new (G_MAXSIZE);
+      g_string_free (string, TRUE);
+    }
+  else
+    {
+      g_test_trap_subprocess (NULL, 0, G_TEST_SUBPROCESS_DEFAULT);
+      g_test_trap_assert_failed ();
+      g_test_trap_assert_stderr ("*string would overflow*");
+    }
+}
+
+ int
+ main (int   argc,
+       char *argv[])
+@@ -796,6 +813,7 @@ main (int   argc,
+   g_test_add_func ("/string/test-string-steal", test_string_steal);
+   g_test_add_func ("/string/test-string-new-take", test_string_new_take);
+   g_test_add_func ("/string/test-string-new-take/null", test_string_new_take_null);
+  g_test_add_func ("/string/sized-new", test_string_sized_new);
+ 
+   return g_test_run();
+ }
diff --git a/meta/recipes-core/glib-2.0/files/CVE-2025-6052-2.patch b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-2.patch
new file mode 100644
index 0000000000..703dfdf46c
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-2.patch
@@ -0,0 +1,35 @@
+From 3752760c5091eaed561ec11636b069e529533514 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 7 Jul 2025 20:57:41 +0200
+Subject: [PATCH] gstring: Improve g_string_append_len_inline checks
+Use the same style for the G_LIKELY check here as in g_string_sized_new.
+The check could overflow on 32 bit systems.
+Also improve the memcpy/memmove check to use memcpy if val itself is
+adjacent to end + len_unsigned, which means that no overlapping exists.
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/3752760c5091eaed561ec11636b069e529533514]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/glib/gstring.h b/glib/gstring.h
+index e817176c9..c5e64b33a 100644
+--- a/glib/gstring.h
+++ b/glib/gstring.h
+@@ -232,10 +232,10 @@ g_string_append_len_inline (GString    *gstring,
+   else
+     len_unsigned = (gsize) len;
+ 
+-  if (G_LIKELY (gstring->len + len_unsigned < gstring->allocated_len))
+  if (G_LIKELY (len_unsigned < gstring->allocated_len - gstring->len))
+     {
+       char *end = gstring->str + gstring->len;
+-      if (G_LIKELY (val + len_unsigned <= end || val > end + len_unsigned))
+      if (G_LIKELY (val + len_unsigned <= end || val >= end + len_unsigned))
+         memcpy (end, val, len_unsigned);
+       else
+         memmove (end, val, len_unsigned);
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index c171598bed..b967b9402f 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -229,8 +229,10 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
           file://0010-Do-not-hardcode-python-path-into-various-tools.patch \
           file://skip-timeout.patch \
+           file://CVE-2025-6052-1.patch \
+           file://CVE-2025-6052-2.patch \
           "
-SRC_URI:append:class-native = " file://relocate-modules.patch \ 
+SRC_URI:append:class-native = " file://relocate-modules.patch \
                                file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
                              "
author	Peter Marko <peter.marko@siemens.com>	2025-08-18 21:58:57 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-26 06:33:14 -0700
commit	c00fb3ce449d30ba497e44e6b70a8ff175d1284d (patch)
tree	6d6f8d9592d180a1bf72c4a3be82bda885aee1c9
parent	d2cf21799c64d4465711669e1432cf729b1dcc57 (diff)
download	poky-c00fb3ce449d30ba497e44e6b70a8ff175d1284d.tar.gz

diff --git a/meta/recipes-core/glib-2.0/files/CVE-2025-6052-1.patch b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-1.patch new file mode 100644 index 0000000000..a344735ee4 --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-1.patch
@@ -0,0 +1,97 @@
		1	From 6aa97beda32bb337370858862f4efe2f3372619f Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Mon, 7 Jul 2025 20:52:24 +0200
		4	Subject: [PATCH] gstring: Fix g_string_sized_new segmentation fault
		5
		6	If glib is compiled with -Dglib_assert=false, i.e. no asserts
		7	enabled, then g_string_sized_new(G_MAXSIZE) leads to a segmentation
		8	fault due to an out of boundary write.
		9
		10	This happens because the overflow check was moved into
		11	g_string_maybe_expand which is not called by g_string_sized_new.
		12
		13	By assuming that string->allocated_len is always larger than
		14	string->len (and the code would be in huge trouble if that is not true),
		15	the G_UNLIKELY check in g_string_maybe_expand can be rephrased to
		16	avoid a potential G_MAXSIZE overflow.
		17
		18	This in turn leads to 150-200 bytes smaller compiled library
		19	depending on gcc and clang versions, and one less check for the most
		20	common code paths.
		21
		22	Reverts https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655 and
		23	reorders internal g_string_maybe_expand check to still fix
		24	CVE-2025-6052.
		25
		26	CVE: CVE-2025-6052
		27	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6aa97beda32bb337370858862f4efe2f3372619f]
		28	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		29	---
		30	glib/gstring.c \| 10 +++++-----
		31	glib/tests/string.c \| 18 ++++++++++++++++++
		32	2 files changed, 23 insertions(+), 5 deletions(-)
		33
		34	diff --git a/glib/gstring.c b/glib/gstring.c
		35	index 010a8e976..24c4bfb40 100644
		36	--- a/glib/gstring.c
		37	+++ b/glib/gstring.c
		38	@@ -68,6 +68,10 @@ static void
		39	g_string_expand (GString *string,
		40	gsize len)
		41	{
		42	+ /* Detect potential overflow */
		43	+ if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
		44	+ g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
		45	+
		46	string->allocated_len = g_nearest_pow (string->len + len + 1);
		47	/* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
		48	* memory for this string and don't over-allocate.
		49	@@ -82,11 +86,7 @@ static inline void
		50	g_string_maybe_expand (GString *string,
		51	gsize len)
		52	{
		53	- /* Detect potential overflow */
		54	- if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
		55	- g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
		56	-
		57	- if (G_UNLIKELY (string->len + len >= string->allocated_len))
		58	+ if (G_UNLIKELY (len >= string->allocated_len - string->len))
		59	g_string_expand (string, len);
		60	}
		61
		62	diff --git a/glib/tests/string.c b/glib/tests/string.c
		63	index aa363c57a..e3bc4a02e 100644
		64	--- a/glib/tests/string.c
		65	+++ b/glib/tests/string.c
		66	@@ -767,6 +767,23 @@ test_string_new_take_null (void)
		67	g_string_free (g_steal_pointer (&string), TRUE);
		68	}
		69
		70	+static void
		71	+test_string_sized_new (void)
		72	+{
		73	+
		74	+ if (g_test_subprocess ())
		75	+ {
		76	+ GString *string = g_string_sized_new (G_MAXSIZE);
		77	+ g_string_free (string, TRUE);
		78	+ }
		79	+ else
		80	+ {
		81	+ g_test_trap_subprocess (NULL, 0, G_TEST_SUBPROCESS_DEFAULT);
		82	+ g_test_trap_assert_failed ();
		83	+ g_test_trap_assert_stderr ("string would overflow");
		84	+ }
		85	+}
		86	+
		87	int
		88	main (int argc,
		89	char *argv[])
		90	@@ -796,6 +813,7 @@ main (int argc,
		91	g_test_add_func ("/string/test-string-steal", test_string_steal);
		92	g_test_add_func ("/string/test-string-new-take", test_string_new_take);
		93	g_test_add_func ("/string/test-string-new-take/null", test_string_new_take_null);
		94	+ g_test_add_func ("/string/sized-new", test_string_sized_new);
		95
		96	return g_test_run();
		97	}


diff --git a/meta/recipes-core/glib-2.0/files/CVE-2025-6052-2.patch b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-2.patch new file mode 100644 index 0000000000..703dfdf46c --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2025-6052-2.patch
@@ -0,0 +1,35 @@
		1	From 3752760c5091eaed561ec11636b069e529533514 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Mon, 7 Jul 2025 20:57:41 +0200
		4	Subject: [PATCH] gstring: Improve g_string_append_len_inline checks
		5
		6	Use the same style for the G_LIKELY check here as in g_string_sized_new.
		7	The check could overflow on 32 bit systems.
		8
		9	Also improve the memcpy/memmove check to use memcpy if val itself is
		10	adjacent to end + len_unsigned, which means that no overlapping exists.
		11
		12	CVE: CVE-2025-6052
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/3752760c5091eaed561ec11636b069e529533514]
		14	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		15	---
		16	glib/gstring.h \| 4 ++--
		17	1 file changed, 2 insertions(+), 2 deletions(-)
		18
		19	diff --git a/glib/gstring.h b/glib/gstring.h
		20	index e817176c9..c5e64b33a 100644
		21	--- a/glib/gstring.h
		22	+++ b/glib/gstring.h
		23	@@ -232,10 +232,10 @@ g_string_append_len_inline (GString *gstring,
		24	else
		25	len_unsigned = (gsize) len;
		26
		27	- if (G_LIKELY (gstring->len + len_unsigned < gstring->allocated_len))
		28	+ if (G_LIKELY (len_unsigned < gstring->allocated_len - gstring->len))
		29	{
		30	char *end = gstring->str + gstring->len;
		31	- if (G_LIKELY (val + len_unsigned <= end \|\| val > end + len_unsigned))
		32	+ if (G_LIKELY (val + len_unsigned <= end \|\| val >= end + len_unsigned))
		33	memcpy (end, val, len_unsigned);
		34	else
		35	memmove (end, val, len_unsigned);


diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index c171598bed..b967b9402f 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -229,8 +229,10 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
229	file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \	229	file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
230	file://0010-Do-not-hardcode-python-path-into-various-tools.patch \	230	file://0010-Do-not-hardcode-python-path-into-various-tools.patch \
231	file://skip-timeout.patch \	231	file://skip-timeout.patch \
		232	file://CVE-2025-6052-1.patch \
		233	file://CVE-2025-6052-2.patch \
232	"	234	"
233	SRC_URI:append:class-native = " file://relocate-modules.patch \	235	SRC_URI:append:class-native = " file://relocate-modules.patch \
234	file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \	236	file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
235	"	237	"
236		238