4 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-01.patch
new file mode 100644
index 0000000000..1bfe31131c
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-01.patch
@@ -0,0 +1,69 @@
+From 987309f23ada52592bffdb5db0d8a5d58bd8097b Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 3 Jun 2025 11:31:04 +0100
+Subject: [PATCH] gstring: Fix overflow check when expanding the string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+After commit 34b7992fd6e3894bf6d2229b8aa59cac34bcb1b5 the overflow check
+was only done when expanding the string, but we need to do it before
+checking whether to expand the string, otherwise that calculation could
+overflow and falsely decide that the string is big enough already.
+As a concrete example, consider a `GString` which has:
+ * `.len = G_MAXSIZE / 2 + 1`
+ * `.allocated_len = G_MAXSIZE / 2 + 1`
+and `g_string_append()` is called on it with an input string of length
+`G_MAXSIZE / 2`.
+This results in a call `g_string_maybe_expand (string, G_MAXSIZE / 2)`,
+which calculates `string->len + len` as `(G_MAXSIZE / 2 + 1) +
+(G_MAXSIZE / 2)` which evaluates to `1` as it overflows. This is not
+greater than `string->allocated_len` (which is `G_MAXSIZE / 2 + 1`), so
+`g_string_expand()` is *not* called, and `g_string_maybe_expand()`
+returns successfully. The caller then assumes that there’s enough space
+in the buffer, and happily continues to cause a buffer overflow.
+It’s unlikely anyone could hit this in practice because it requires
+ludicrously big strings and `GString` allocations, which likely would
+have been blocked by other code, but if we’re going to have the overflow
+checks in `GString` then they should be effective.
+Spotted by code inspection.
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/glib/gstring.c b/glib/gstring.c
+index 2a399ee21..8a489ca0d 100644
+--- a/glib/gstring.c
+++ b/glib/gstring.c
+@@ -78,10 +78,6 @@ static void
+ g_string_expand (GString *string,
+                  gsize    len)
+ {
+-  /* Detect potential overflow */
+-  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+-    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+-
+   string->allocated_len = g_nearest_pow (string->len + len + 1);
+   /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
+    * memory for this string and don't over-allocate.
+@@ -96,6 +92,10 @@ static inline void
+ g_string_maybe_expand (GString *string,
+                        gsize    len)
+ {
+  /* Detect potential overflow */
+  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+
+   if (G_UNLIKELY (string->len + len >= string->allocated_len))
+     g_string_expand (string, len);
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-02.patch
new file mode 100644
index 0000000000..a28425a4ff
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-02.patch
@@ -0,0 +1,97 @@
+From 6aa97beda32bb337370858862f4efe2f3372619f Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 7 Jul 2025 20:52:24 +0200
+Subject: [PATCH] gstring: Fix g_string_sized_new segmentation fault
+If glib is compiled with -Dglib_assert=false, i.e. no asserts
+enabled, then g_string_sized_new(G_MAXSIZE) leads to a segmentation
+fault due to an out of boundary write.
+This happens because the overflow check was moved into
+g_string_maybe_expand which is not called by g_string_sized_new.
+By assuming that string->allocated_len is always larger than
+string->len (and the code would be in huge trouble if that is not true),
+the G_UNLIKELY check in g_string_maybe_expand can be rephrased to
+avoid a potential G_MAXSIZE overflow.
+This in turn leads to 150-200 bytes smaller compiled library
+depending on gcc and clang versions, and one less check for the most
+common code paths.
+Reverts https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655 and
+reorders internal g_string_maybe_expand check to still fix
+CVE-2025-6052.
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6aa97beda32bb337370858862f4efe2f3372619f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.c      | 10 +++++-----
+ glib/tests/string.c | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+diff --git a/glib/gstring.c b/glib/gstring.c
+index 010a8e976..24c4bfb40 100644
+--- a/glib/gstring.c
+++ b/glib/gstring.c
+@@ -78,6 +78,10 @@ static void
+ g_string_expand (GString *string,
+                  gsize    len)
+ {
+  /* Detect potential overflow */
+  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+
+   string->allocated_len = g_nearest_pow (string->len + len + 1);
+   /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
+    * memory for this string and don't over-allocate.
+@@ -92,11 +96,7 @@ static inline void
+ g_string_maybe_expand (GString *string,
+                        gsize    len)
+ {
+-  /* Detect potential overflow */
+-  if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
+-    g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
+-
+-  if (G_UNLIKELY (string->len + len >= string->allocated_len))
+  if (G_UNLIKELY (len >= string->allocated_len - string->len))
+     g_string_expand (string, len);
+ }
+ 
+diff --git a/glib/tests/string.c b/glib/tests/string.c
+index aa363c57a..e3bc4a02e 100644
+--- a/glib/tests/string.c
+++ b/glib/tests/string.c
+@@ -743,6 +743,23 @@ test_string_new_take_null (void)
+   g_string_free (g_steal_pointer (&string), TRUE);
+ }
+ 
+static void
+test_string_sized_new (void)
+{
+
+  if (g_test_subprocess ())
+    {
+      GString *string = g_string_sized_new (G_MAXSIZE);
+      g_string_free (string, TRUE);
+    }
+  else
+    {
+      g_test_trap_subprocess (NULL, 0, G_TEST_SUBPROCESS_DEFAULT);
+      g_test_trap_assert_failed ();
+      g_test_trap_assert_stderr ("*string would overflow*");
+    }
+}
+
+ int
+ main (int   argc,
+       char *argv[])
+@@ -772,6 +789,7 @@ main (int   argc,
+   g_test_add_func ("/string/test-string-steal", test_string_steal);
+   g_test_add_func ("/string/test-string-new-take", test_string_new_take);
+   g_test_add_func ("/string/test-string-new-take/null", test_string_new_take_null);
+  g_test_add_func ("/string/sized-new", test_string_sized_new);
+ 
+   return g_test_run();
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-03.patch
new file mode 100644
index 0000000000..3f6e564544
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-03.patch
@@ -0,0 +1,35 @@
+From 3752760c5091eaed561ec11636b069e529533514 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 7 Jul 2025 20:57:41 +0200
+Subject: [PATCH] gstring: Improve g_string_append_len_inline checks
+Use the same style for the G_LIKELY check here as in g_string_sized_new.
+The check could overflow on 32 bit systems.
+Also improve the memcpy/memmove check to use memcpy if val itself is
+adjacent to end + len_unsigned, which means that no overlapping exists.
+CVE: CVE-2025-6052
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/3752760c5091eaed561ec11636b069e529533514]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gstring.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/glib/gstring.h b/glib/gstring.h
+index e817176c9..c5e64b33a 100644
+--- a/glib/gstring.h
+++ b/glib/gstring.h
+@@ -228,10 +228,10 @@ g_string_append_len_inline (GString    *gstring,
+   else
+     len_unsigned = (gsize) len;
+ 
+-  if (G_LIKELY (gstring->len + len_unsigned < gstring->allocated_len))
+  if (G_LIKELY (len_unsigned < gstring->allocated_len - gstring->len))
+     {
+       char *end = gstring->str + gstring->len;
+-      if (G_LIKELY (val + len_unsigned <= end || val > end + len_unsigned))
+      if (G_LIKELY (val + len_unsigned <= end || val >= end + len_unsigned))
+         memcpy (end, val, len_unsigned);
+       else
+         memmove (end, val, len_unsigned);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index c129be1328..9f93655739 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -30,6 +30,9 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://CVE-2025-4373-01.patch \
           file://CVE-2025-4373-02.patch \
           file://CVE-2025-7039.patch \
+           file://CVE-2025-6052-01.patch \
+           file://CVE-2025-6052-02.patch \
+           file://CVE-2025-6052-03.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch \
                                file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-01.patch new file mode 100644 index 0000000000..1bfe31131c --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-01.patch
@@ -0,0 +1,69 @@
		1	From 987309f23ada52592bffdb5db0d8a5d58bd8097b Mon Sep 17 00:00:00 2001
		2	From: Philip Withnall <pwithnall@gnome.org>
		3	Date: Tue, 3 Jun 2025 11:31:04 +0100
		4	Subject: [PATCH] gstring: Fix overflow check when expanding the string
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	After commit 34b7992fd6e3894bf6d2229b8aa59cac34bcb1b5 the overflow check
		10	was only done when expanding the string, but we need to do it before
		11	checking whether to expand the string, otherwise that calculation could
		12	overflow and falsely decide that the string is big enough already.
		13
		14	As a concrete example, consider a `GString` which has:
		15	* `.len = G_MAXSIZE / 2 + 1`
		16	* `.allocated_len = G_MAXSIZE / 2 + 1`
		17	and `g_string_append()` is called on it with an input string of length
		18	`G_MAXSIZE / 2`.
		19
		20	This results in a call `g_string_maybe_expand (string, G_MAXSIZE / 2)`,
		21	which calculates `string->len + len` as `(G_MAXSIZE / 2 + 1) +
		22	(G_MAXSIZE / 2)` which evaluates to `1` as it overflows. This is not
		23	greater than `string->allocated_len` (which is `G_MAXSIZE / 2 + 1`), so
		24	`g_string_expand()` is not called, and `g_string_maybe_expand()`
		25	returns successfully. The caller then assumes that there’s enough space
		26	in the buffer, and happily continues to cause a buffer overflow.
		27
		28	It’s unlikely anyone could hit this in practice because it requires
		29	ludicrously big strings and `GString` allocations, which likely would
		30	have been blocked by other code, but if we’re going to have the overflow
		31	checks in `GString` then they should be effective.
		32
		33	Spotted by code inspection.
		34
		35	Signed-off-by: Philip Withnall <pwithnall@gnome.org>
		36
		37	CVE: CVE-2025-6052
		38	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b]
		39	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		40	---
		41	glib/gstring.c \| 8 ++++----
		42	1 file changed, 4 insertions(+), 4 deletions(-)
		43
		44	diff --git a/glib/gstring.c b/glib/gstring.c
		45	index 2a399ee21..8a489ca0d 100644
		46	--- a/glib/gstring.c
		47	+++ b/glib/gstring.c
		48	@@ -78,10 +78,6 @@ static void
		49	g_string_expand (GString *string,
		50	gsize len)
		51	{
		52	- /* Detect potential overflow */
		53	- if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
		54	- g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
		55	-
		56	string->allocated_len = g_nearest_pow (string->len + len + 1);
		57	/* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
		58	* memory for this string and don't over-allocate.
		59	@@ -96,6 +92,10 @@ static inline void
		60	g_string_maybe_expand (GString *string,
		61	gsize len)
		62	{
		63	+ /* Detect potential overflow */
		64	+ if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
		65	+ g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
		66	+
		67	if (G_UNLIKELY (string->len + len >= string->allocated_len))
		68	g_string_expand (string, len);
		69	}


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-02.patch new file mode 100644 index 0000000000..a28425a4ff --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-02.patch
@@ -0,0 +1,97 @@
		1	From 6aa97beda32bb337370858862f4efe2f3372619f Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Mon, 7 Jul 2025 20:52:24 +0200
		4	Subject: [PATCH] gstring: Fix g_string_sized_new segmentation fault
		5
		6	If glib is compiled with -Dglib_assert=false, i.e. no asserts
		7	enabled, then g_string_sized_new(G_MAXSIZE) leads to a segmentation
		8	fault due to an out of boundary write.
		9
		10	This happens because the overflow check was moved into
		11	g_string_maybe_expand which is not called by g_string_sized_new.
		12
		13	By assuming that string->allocated_len is always larger than
		14	string->len (and the code would be in huge trouble if that is not true),
		15	the G_UNLIKELY check in g_string_maybe_expand can be rephrased to
		16	avoid a potential G_MAXSIZE overflow.
		17
		18	This in turn leads to 150-200 bytes smaller compiled library
		19	depending on gcc and clang versions, and one less check for the most
		20	common code paths.
		21
		22	Reverts https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4655 and
		23	reorders internal g_string_maybe_expand check to still fix
		24	CVE-2025-6052.
		25
		26	CVE: CVE-2025-6052
		27	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/6aa97beda32bb337370858862f4efe2f3372619f]
		28	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		29	---
		30	glib/gstring.c \| 10 +++++-----
		31	glib/tests/string.c \| 18 ++++++++++++++++++
		32	2 files changed, 23 insertions(+), 5 deletions(-)
		33
		34	diff --git a/glib/gstring.c b/glib/gstring.c
		35	index 010a8e976..24c4bfb40 100644
		36	--- a/glib/gstring.c
		37	+++ b/glib/gstring.c
		38	@@ -78,6 +78,10 @@ static void
		39	g_string_expand (GString *string,
		40	gsize len)
		41	{
		42	+ /* Detect potential overflow */
		43	+ if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
		44	+ g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
		45	+
		46	string->allocated_len = g_nearest_pow (string->len + len + 1);
		47	/* If the new size is bigger than G_MAXSIZE / 2, only allocate enough
		48	* memory for this string and don't over-allocate.
		49	@@ -92,11 +96,7 @@ static inline void
		50	g_string_maybe_expand (GString *string,
		51	gsize len)
		52	{
		53	- /* Detect potential overflow */
		54	- if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len)
		55	- g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len);
		56	-
		57	- if (G_UNLIKELY (string->len + len >= string->allocated_len))
		58	+ if (G_UNLIKELY (len >= string->allocated_len - string->len))
		59	g_string_expand (string, len);
		60	}
		61
		62	diff --git a/glib/tests/string.c b/glib/tests/string.c
		63	index aa363c57a..e3bc4a02e 100644
		64	--- a/glib/tests/string.c
		65	+++ b/glib/tests/string.c
		66	@@ -743,6 +743,23 @@ test_string_new_take_null (void)
		67	g_string_free (g_steal_pointer (&string), TRUE);
		68	}
		69
		70	+static void
		71	+test_string_sized_new (void)
		72	+{
		73	+
		74	+ if (g_test_subprocess ())
		75	+ {
		76	+ GString *string = g_string_sized_new (G_MAXSIZE);
		77	+ g_string_free (string, TRUE);
		78	+ }
		79	+ else
		80	+ {
		81	+ g_test_trap_subprocess (NULL, 0, G_TEST_SUBPROCESS_DEFAULT);
		82	+ g_test_trap_assert_failed ();
		83	+ g_test_trap_assert_stderr ("string would overflow");
		84	+ }
		85	+}
		86	+
		87	int
		88	main (int argc,
		89	char *argv[])
		90	@@ -772,6 +789,7 @@ main (int argc,
		91	g_test_add_func ("/string/test-string-steal", test_string_steal);
		92	g_test_add_func ("/string/test-string-new-take", test_string_new_take);
		93	g_test_add_func ("/string/test-string-new-take/null", test_string_new_take_null);
		94	+ g_test_add_func ("/string/sized-new", test_string_sized_new);
		95
		96	return g_test_run();
		97	}


diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-03.patch new file mode 100644 index 0000000000..3f6e564544 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-6052-03.patch
@@ -0,0 +1,35 @@
		1	From 3752760c5091eaed561ec11636b069e529533514 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Mon, 7 Jul 2025 20:57:41 +0200
		4	Subject: [PATCH] gstring: Improve g_string_append_len_inline checks
		5
		6	Use the same style for the G_LIKELY check here as in g_string_sized_new.
		7	The check could overflow on 32 bit systems.
		8
		9	Also improve the memcpy/memmove check to use memcpy if val itself is
		10	adjacent to end + len_unsigned, which means that no overlapping exists.
		11
		12	CVE: CVE-2025-6052
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/3752760c5091eaed561ec11636b069e529533514]
		14	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		15	---
		16	glib/gstring.h \| 4 ++--
		17	1 file changed, 2 insertions(+), 2 deletions(-)
		18
		19	diff --git a/glib/gstring.h b/glib/gstring.h
		20	index e817176c9..c5e64b33a 100644
		21	--- a/glib/gstring.h
		22	+++ b/glib/gstring.h
		23	@@ -228,10 +228,10 @@ g_string_append_len_inline (GString *gstring,
		24	else
		25	len_unsigned = (gsize) len;
		26
		27	- if (G_LIKELY (gstring->len + len_unsigned < gstring->allocated_len))
		28	+ if (G_LIKELY (len_unsigned < gstring->allocated_len - gstring->len))
		29	{
		30	char *end = gstring->str + gstring->len;
		31	- if (G_LIKELY (val + len_unsigned <= end \|\| val > end + len_unsigned))
		32	+ if (G_LIKELY (val + len_unsigned <= end \|\| val >= end + len_unsigned))
		33	memcpy (end, val, len_unsigned);
		34	else
		35	memmove (end, val, len_unsigned);


diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index c129be1328..9f93655739 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -30,6 +30,9 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
30	file://CVE-2025-4373-01.patch \	30	file://CVE-2025-4373-01.patch \
31	file://CVE-2025-4373-02.patch \	31	file://CVE-2025-4373-02.patch \
32	file://CVE-2025-7039.patch \	32	file://CVE-2025-7039.patch \
		33	file://CVE-2025-6052-01.patch \
		34	file://CVE-2025-6052-02.patch \
		35	file://CVE-2025-6052-03.patch \
33	"	36	"
34	SRC_URI:append:class-native = " file://relocate-modules.patch \	37	SRC_URI:append:class-native = " file://relocate-modules.patch \
35	file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \	38	file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \