import UBI glib2-2.80.4-4.el10_0.7

2025-11-05 08:01:14 +00:00 · 2025-11-05 08:01:14 +00:00 · 01a36fa733
commit 01a36fa733
parent 0c4663f2d4
2 changed files with 75 additions and 1 deletions
--- a/RHEL-114855.patch
+++ b/RHEL-114855.patch
@ -0,0 +1,70 @@
+From 2ab35fea012dfd55858aaf7663698be069a202c5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Mon, 3 Feb 2025 18:27:21 +0000
+Subject: [PATCH] gdbusconnection: Prevent sending a serial of zero on overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It finally happened: someone managed to keep a process alive long
+enough, and using a single `GDBusConnection`, to overflow the
+`last_serial` counter in the connection and send an invalid message with
+serial of zero (which is disallowed by the D-Bus specification).
+
+Avoid that happening in future by skipping serials of zero on overflow,
+and wrapping straight back around to 1.
+
+This looks a little more confusing than it is, because `last_serial` is
+pre-incremented on use, so to skip zero, we explicitly set it to zero.
+This is exactly what happens when the `GDBusConnection` is initialised
+anyway.
+
+I can’t think of a way to add a unit test for this — there is no way to
+affect the value of `last_serial` except by sending messages (each one
+increments it), and in order to get it to overflow by sending messages
+at 1kHz, the test would have to run for 49 days.
+
+Instead, I tested this manually by temporarily modifying
+`GDBusConnection` to initialise `last_serial` to `G_MAXUINT32 - 3`, then
+checked that the unit tests all still passed, and that the overflow code
+was being executed.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3592
+---
+ gio/gdbusconnection.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
+index 4c1d2e2..75f9b3b 100644
+--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
+@@ -1762,9 +1762,22 @@ g_dbus_connection_send_message_unlocked (GDBusConnection   *connection,
+     return FALSE;
+ 
+   if (flags & G_DBUS_SEND_MESSAGE_FLAGS_PRESERVE_SERIAL)
+-    serial_to_use = g_dbus_message_get_serial (message);
+    {
+      serial_to_use = g_dbus_message_get_serial (message);
+    }
+   else
+-    serial_to_use = ++connection->last_serial; /* TODO: handle overflow */
+    {
+      /* The serial_to_use must not be zero, as per
+       * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages. */
+      if (connection->last_serial == G_MAXUINT32)
+        connection->last_serial = 1;
+      else
+        connection->last_serial++;
+
+      serial_to_use = connection->last_serial;
+    }
+
+  g_assert (serial_to_use != 0);
+ 
+   switch (blob[0])
+     {
+-- 
+2.47.3
+
--- a/glib2.spec
+++ b/glib2.spec
@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 6;
+    release_number = 7;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -37,6 +37,7 @@ Patch:          CVE-2024-52533.patch
 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588
 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4592
 Patch:          CVE-2025-4373.patch
+Patch:          RHEL-114855.patch

 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@ -300,6 +301,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :

 %changelog
 ## START: Generated by rpmautospec
+* Mon Sep 29 2025 RHEL Packaging Agent <jotnar@redhat.com> - 2.80.4-7
+- gdbusconnection: Prevent sending a serial of zero on overflow
+
 * Thu Jul 10 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.80.4-6
 - Add patches for CVE-2024-52533 and CVE-2025-4373