glib-2.0: patch CVE-2026-1484

Pick patches from [1] linked from [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/issues/3870 [2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4979 (From OE-Core rev: 045f902fd570df65f6ed2534d8885cee26fb6ef1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
author: Peter Marko <peter.marko@siemens.com> 2026-02-20 17:21:15 +0100
committer: Paul Barker <paul@pbarker.dev> 2026-02-27 15:54:02 +0000
commit: 69d100e7f05be51fe8618844eed51c9d84024807 (patch)
tree: a8838d83529f22c667afb3502217883bde43692c
parent: 3825d4306a9a33826d9189362559327a330a00b1 (diff)
download: poky-69d100e7f05be51fe8618844eed51c9d84024807.tar.gz
3 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
new file mode 100644
index 0000000000..e3a232aa9f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
@@ -0,0 +1,48 @@
+From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001
+From: Marco Trevisan <mail@3v1n0.net>
+Date: Fri, 23 Jan 2026 18:48:30 +0100
+Subject: [PATCH] gbase64: Use gsize to prevent potential overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Both g_base64_encode_step() and g_base64_encode_close() return gsize
+values, but these are summed to an int value.
+If the sum of these returned values is bigger than MAXINT, we overflow
+while doing the null byte write.
+Spotted by treeplus.
+Thanks to the Sovereign Tech Resilience programme from the Sovereign
+Tech Agency.
+ID: #YWH-PGM9867-168
+Closes: #3870
+(cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2)
+Co-authored-by: Marco Trevisan (Treviño) <mail@3v1n0.net>
+CVE: CVE-2026-1484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/5ba0ed9ab2c28294713bdc56a8744ff0a446b59c]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gbase64.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/glib/gbase64.c b/glib/gbase64.c
+index 2ea4a4ef4..214b48911 100644
+--- a/glib/gbase64.c
+++ b/glib/gbase64.c
+@@ -262,8 +262,9 @@ g_base64_encode (const guchar *data,
+                  gsize         len)
+ {
+   gchar *out;
+-  gint state = 0, outlen;
+  gint state = 0;
+   gint save = 0;
+  gsize outlen;
+ 
+   g_return_val_if_fail (data != NULL || len == 0, NULL);
+ 
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
new file mode 100644
index 0000000000..d0956e62f8
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
@@ -0,0 +1,45 @@
+From 25429bd0b22222d6986d000d62b44eebf490837d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Wed, 21 Jan 2026 20:09:44 +0100
+Subject: [PATCH] gbase64: Ensure that the out value is within allocated size
+We do not want to deference or write to it
+Related to: #3870
+CVE: CVE-2026-1484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/25429bd0b22222d6986d000d62b44eebf490837d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gbase64.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/glib/gbase64.c b/glib/gbase64.c
+index 214b48911..0141b3b07 100644
+--- a/glib/gbase64.c
+++ b/glib/gbase64.c
+@@ -265,6 +265,7 @@ g_base64_encode (const guchar *data,
+   gint state = 0;
+   gint save = 0;
+   gsize outlen;
+  gsize allocsize;
+ 
+   g_return_val_if_fail (data != NULL || len == 0, NULL);
+ 
+@@ -272,10 +273,15 @@ g_base64_encode (const guchar *data,
+      +1 is needed for trailing \0, also check for unlikely integer overflow */
+   g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL);
+ 
+-  out = g_malloc ((len / 3 + 1) * 4 + 1);
+  allocsize = (len / 3 + 1) * 4 + 1;
+  out = g_malloc (allocsize);
+ 
+   outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
+  g_assert (outlen <= allocsize);
+
+   outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
+  g_assert (outlen <= allocsize);
+
+   out[outlen] = '\0';
+ 
+   return (gchar *) out;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 7c0ed01f55..c6816f93fa 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -71,6 +71,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://CVE-2025-14087-03.patch \
           file://CVE-2025-14512.patch \
           file://CVE-2026-0988.patch \
+           file://CVE-2026-1484-01.patch \
+           file://CVE-2026-1484-02.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch"
author	Peter Marko <peter.marko@siemens.com>	2026-02-20 17:21:15 +0100
committer	Paul Barker <paul@pbarker.dev>	2026-02-27 15:54:02 +0000
commit	69d100e7f05be51fe8618844eed51c9d84024807 (patch)
tree	a8838d83529f22c667afb3502217883bde43692c
parent	3825d4306a9a33826d9189362559327a330a00b1 (diff)
download	poky-69d100e7f05be51fe8618844eed51c9d84024807.tar.gz

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch new file mode 100644 index 0000000000..e3a232aa9f --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
@@ -0,0 +1,48 @@
		1	From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001
		2	From: Marco Trevisan <mail@3v1n0.net>
		3	Date: Fri, 23 Jan 2026 18:48:30 +0100
		4	Subject: [PATCH] gbase64: Use gsize to prevent potential overflow
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Both g_base64_encode_step() and g_base64_encode_close() return gsize
		10	values, but these are summed to an int value.
		11
		12	If the sum of these returned values is bigger than MAXINT, we overflow
		13	while doing the null byte write.
		14
		15	Spotted by treeplus.
		16	Thanks to the Sovereign Tech Resilience programme from the Sovereign
		17	Tech Agency.
		18
		19	ID: #YWH-PGM9867-168
		20	Closes: #3870
		21
		22
		23	(cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2)
		24
		25	Co-authored-by: Marco Trevisan (Treviño) <mail@3v1n0.net>
		26
		27	CVE: CVE-2026-1484
		28	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/5ba0ed9ab2c28294713bdc56a8744ff0a446b59c]
		29	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		30	---
		31	glib/gbase64.c \| 3 ++-
		32	1 file changed, 2 insertions(+), 1 deletion(-)
		33
		34	diff --git a/glib/gbase64.c b/glib/gbase64.c
		35	index 2ea4a4ef4..214b48911 100644
		36	--- a/glib/gbase64.c
		37	+++ b/glib/gbase64.c
		38	@@ -262,8 +262,9 @@ g_base64_encode (const guchar *data,
		39	gsize len)
		40	{
		41	gchar *out;
		42	- gint state = 0, outlen;
		43	+ gint state = 0;
		44	gint save = 0;
		45	+ gsize outlen;
		46
		47	g_return_val_if_fail (data != NULL \|\| len == 0, NULL);
		48


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch new file mode 100644 index 0000000000..d0956e62f8 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
@@ -0,0 +1,45 @@
		1	From 25429bd0b22222d6986d000d62b44eebf490837d Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
		3	Date: Wed, 21 Jan 2026 20:09:44 +0100
		4	Subject: [PATCH] gbase64: Ensure that the out value is within allocated size
		5
		6	We do not want to deference or write to it
		7
		8	Related to: #3870
		9
		10	CVE: CVE-2026-1484
		11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/25429bd0b22222d6986d000d62b44eebf490837d]
		12	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		13	---
		14	glib/gbase64.c \| 8 +++++++-
		15	1 file changed, 7 insertions(+), 1 deletion(-)
		16
		17	diff --git a/glib/gbase64.c b/glib/gbase64.c
		18	index 214b48911..0141b3b07 100644
		19	--- a/glib/gbase64.c
		20	+++ b/glib/gbase64.c
		21	@@ -265,6 +265,7 @@ g_base64_encode (const guchar *data,
		22	gint state = 0;
		23	gint save = 0;
		24	gsize outlen;
		25	+ gsize allocsize;
		26
		27	g_return_val_if_fail (data != NULL \|\| len == 0, NULL);
		28
		29	@@ -272,10 +273,15 @@ g_base64_encode (const guchar *data,
		30	+1 is needed for trailing \0, also check for unlikely integer overflow */
		31	g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL);
		32
		33	- out = g_malloc ((len / 3 + 1) * 4 + 1);
		34	+ allocsize = (len / 3 + 1) * 4 + 1;
		35	+ out = g_malloc (allocsize);
		36
		37	outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
		38	+ g_assert (outlen <= allocsize);
		39	+
		40	outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
		41	+ g_assert (outlen <= allocsize);
		42	+
		43	out[outlen] = '\0';
		44
		45	return (gchar *) out;


diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index 7c0ed01f55..c6816f93fa 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -71,6 +71,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
71	file://CVE-2025-14087-03.patch \	71	file://CVE-2025-14087-03.patch \
72	file://CVE-2025-14512.patch \	72	file://CVE-2025-14512.patch \
73	file://CVE-2026-0988.patch \	73	file://CVE-2026-0988.patch \
		74	file://CVE-2026-1484-01.patch \
		75	file://CVE-2026-1484-02.patch \
74	"	76	"
75	SRC_URI:append:class-native = " file://relocate-modules.patch"	77	SRC_URI:append:class-native = " file://relocate-modules.patch"
76		78