From 01a36fa733fd38b81023b8ba07ef1764efb1dbe6 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 5 Nov 2025 08:01:14 +0000 Subject: [PATCH] import UBI glib2-2.80.4-4.el10_0.7 --- RHEL-114855.patch | 70 +++++++++++++++++++++++++++++++++++++++++++++++ glib2.spec | 6 +++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 RHEL-114855.patch diff --git a/RHEL-114855.patch b/RHEL-114855.patch new file mode 100644 index 0000000..a74423c --- /dev/null +++ b/RHEL-114855.patch @@ -0,0 +1,70 @@ +From 2ab35fea012dfd55858aaf7663698be069a202c5 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Mon, 3 Feb 2025 18:27:21 +0000 +Subject: [PATCH] gdbusconnection: Prevent sending a serial of zero on overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It finally happened: someone managed to keep a process alive long +enough, and using a single `GDBusConnection`, to overflow the +`last_serial` counter in the connection and send an invalid message with +serial of zero (which is disallowed by the D-Bus specification). + +Avoid that happening in future by skipping serials of zero on overflow, +and wrapping straight back around to 1. + +This looks a little more confusing than it is, because `last_serial` is +pre-incremented on use, so to skip zero, we explicitly set it to zero. +This is exactly what happens when the `GDBusConnection` is initialised +anyway. + +I can’t think of a way to add a unit test for this — there is no way to +affect the value of `last_serial` except by sending messages (each one +increments it), and in order to get it to overflow by sending messages +at 1kHz, the test would have to run for 49 days. + +Instead, I tested this manually by temporarily modifying +`GDBusConnection` to initialise `last_serial` to `G_MAXUINT32 - 3`, then +checked that the unit tests all still passed, and that the overflow code +was being executed. + +Signed-off-by: Philip Withnall + +Fixes: #3592 +--- + gio/gdbusconnection.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index 4c1d2e2..75f9b3b 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -1762,9 +1762,22 @@ g_dbus_connection_send_message_unlocked (GDBusConnection *connection, + return FALSE; + + if (flags & G_DBUS_SEND_MESSAGE_FLAGS_PRESERVE_SERIAL) +- serial_to_use = g_dbus_message_get_serial (message); ++ { ++ serial_to_use = g_dbus_message_get_serial (message); ++ } + else +- serial_to_use = ++connection->last_serial; /* TODO: handle overflow */ ++ { ++ /* The serial_to_use must not be zero, as per ++ * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages. */ ++ if (connection->last_serial == G_MAXUINT32) ++ connection->last_serial = 1; ++ else ++ connection->last_serial++; ++ ++ serial_to_use = connection->last_serial; ++ } ++ ++ g_assert (serial_to_use != 0); + + switch (blob[0]) + { +-- +2.47.3 + diff --git a/glib2.spec b/glib2.spec index bf8a923..8d9f936 100644 --- a/glib2.spec +++ b/glib2.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 6; + release_number = 7; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -37,6 +37,7 @@ Patch: CVE-2024-52533.patch # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4592 Patch: CVE-2025-4373.patch +Patch: RHEL-114855.patch BuildRequires: gcc BuildRequires: gcc-c++ @@ -300,6 +301,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %changelog ## START: Generated by rpmautospec +* Mon Sep 29 2025 RHEL Packaging Agent - 2.80.4-7 +- gdbusconnection: Prevent sending a serial of zero on overflow + * Thu Jul 10 2025 Michael Catanzaro - 2.80.4-6 - Add patches for CVE-2024-52533 and CVE-2025-4373