glib-2.0: patch CVE-2025-14512

Pick patch from [1] linked from [2]. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935 [2] https://gitlab.gnome.org/GNOME/glib/-/issues/3845 (From OE-Core rev: 2fb84f36c77e0d049a71dcfa597a67d297cbfd0a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-12-31 10:55:44 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:49:25 +0000
commit: b06df1f496b016195039ab69d120e5a4f8de30c1 (patch)
tree: cf95041c0c36b186cb3ad6c4c1ea070e32525589 /meta/recipes-core
parent: 32417b8ef75d4a464d9da746fddc80561641333c (diff)
download: poky-b06df1f496b016195039ab69d120e5a4f8de30c1.tar.gz
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
new file mode 100644
index 0000000000..fd3ba765b1
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
@@ -0,0 +1,70 @@
+From 1909d8ea9297287f1ff6862968608dcf06e60523 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 4 Dec 2025 16:37:19 +0000
+Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
+ byte strings
+The number of invalid characters in the byte string (characters which
+would have to be percent-encoded) was only stored in an `int`, which
+gave the possibility of a long string largely full of invalid
+characters overflowing this and allowing an attacker-controlled buffer
+size to be allocated.
+This could be triggered by an attacker controlled file attribute (of
+type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
+`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
+being read by user code.
+Spotted by Codean Labs.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3845
+CVE: CVE-2025-14512
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/1909d8ea9297287f1ff6862968608dcf06e60523]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gio/gfileattribute.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
+index c6fde60fa..d3083e5bd 100644
+--- a/gio/gfileattribute.c
+++ b/gio/gfileattribute.c
+@@ -20,6 +20,7 @@
+ 
+ #include "config.h"
+ 
+#include <stdint.h>
+ #include <string.h>
+ 
+ #include "gfileattribute.h"
+@@ -271,11 +272,12 @@ valid_char (char c)
+   return c >= 32 && c <= 126 && c != '\\';
+ }
+ 
+/* Returns NULL on error */
+ static char *
+ escape_byte_string (const char *str)
+ {
+   size_t i, len;
+-  int num_invalid;
+  size_t num_invalid;
+   char *escaped_val, *p;
+   unsigned char c;
+   const char hex_digits[] = "0123456789abcdef";
+@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
+     return g_strdup (str);
+   else
+     {
+-      escaped_val = g_malloc (len + num_invalid*3 + 1);
+      /* Check for overflow. We want to check the inequality:
+       * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+      if (num_invalid >= (SIZE_MAX - len) / 3)
+        return NULL;
+
+      escaped_val = g_malloc (len + num_invalid * 3 + 1);
+ 
+       p = escaped_val;
+       for (i = 0; i < len; i++)
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index c5704a27bc..50701be3d0 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -69,6 +69,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://CVE-2025-14087-01.patch \
           file://CVE-2025-14087-02.patch \
           file://CVE-2025-14087-03.patch \
+           file://CVE-2025-14512.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch"
author	Peter Marko <peter.marko@siemens.com>	2025-12-31 10:55:44 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:49:25 +0000
commit	b06df1f496b016195039ab69d120e5a4f8de30c1 (patch)
tree	cf95041c0c36b186cb3ad6c4c1ea070e32525589 /meta/recipes-core
parent	32417b8ef75d4a464d9da746fddc80561641333c (diff)
download	poky-b06df1f496b016195039ab69d120e5a4f8de30c1.tar.gz

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch new file mode 100644 index 0000000000..fd3ba765b1 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
@@ -0,0 +1,70 @@
		1	From 1909d8ea9297287f1ff6862968608dcf06e60523 Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Thu, 4 Dec 2025 16:37:19 +0000
		4	Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
		5	byte strings
		6
		7	The number of invalid characters in the byte string (characters which
		8	would have to be percent-encoded) was only stored in an `int`, which
		9	gave the possibility of a long string largely full of invalid
		10	characters overflowing this and allowing an attacker-controlled buffer
		11	size to be allocated.
		12
		13	This could be triggered by an attacker controlled file attribute (of
		14	type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
		15	`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
		16	being read by user code.
		17
		18	Spotted by Codean Labs.
		19
		20	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		21
		22	Fixes: #3845
		23
		24	CVE: CVE-2025-14512
		25	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/1909d8ea9297287f1ff6862968608dcf06e60523]
		26	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		27	---
		28	gio/gfileattribute.c \| 11 +++++++++--
		29	1 file changed, 9 insertions(+), 2 deletions(-)
		30
		31	diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
		32	index c6fde60fa..d3083e5bd 100644
		33	--- a/gio/gfileattribute.c
		34	+++ b/gio/gfileattribute.c
		35	@@ -20,6 +20,7 @@
		36
		37	#include "config.h"
		38
		39	+#include <stdint.h>
		40	#include <string.h>
		41
		42	#include "gfileattribute.h"
		43	@@ -271,11 +272,12 @@ valid_char (char c)
		44	return c >= 32 && c <= 126 && c != '\\';
		45	}
		46
		47	+/* Returns NULL on error */
		48	static char *
		49	escape_byte_string (const char *str)
		50	{
		51	size_t i, len;
		52	- int num_invalid;
		53	+ size_t num_invalid;
		54	char escaped_val, p;
		55	unsigned char c;
		56	const char hex_digits[] = "0123456789abcdef";
		57	@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
		58	return g_strdup (str);
		59	else
		60	{
		61	- escaped_val = g_malloc (len + num_invalid*3 + 1);
		62	+ /* Check for overflow. We want to check the inequality:
		63	+ * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
		64	+ if (num_invalid >= (SIZE_MAX - len) / 3)
		65	+ return NULL;
		66	+
		67	+ escaped_val = g_malloc (len + num_invalid * 3 + 1);
		68
		69	p = escaped_val;
		70	for (i = 0; i < len; i++)


diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index c5704a27bc..50701be3d0 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -69,6 +69,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
69	file://CVE-2025-14087-01.patch \	69	file://CVE-2025-14087-01.patch \
70	file://CVE-2025-14087-02.patch \	70	file://CVE-2025-14087-02.patch \
71	file://CVE-2025-14087-03.patch \	71	file://CVE-2025-14087-03.patch \
		72	file://CVE-2025-14512.patch \
72	"	73	"
73	SRC_URI:append:class-native = " file://relocate-modules.patch"	74	SRC_URI:append:class-native = " file://relocate-modules.patch"
74		75