import UBI glib2-2.68.4-18.el9_7.1

2026-01-23 06:25:27 +00:00 · 2026-01-23 06:25:27 +00:00 · 0b007f7d65
commit 0b007f7d65
parent 006c9d66b4
3 changed files with 134 additions and 2 deletions
--- a/SOURCES/CVE-2025-13601.patch
+++ b/SOURCES/CVE-2025-13601.patch
@ -0,0 +1,124 @@
+From be4f154723a177201a8e81174a230416473bce33 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:27:22 +0000
+Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
+
+If the string to escape contains a very large number of unacceptable
+characters (which would need escaping), the calculation of the length of
+the escaped string could overflow, leading to a potential write off the
+end of the newly allocated string.
+
+In addition to that, the number of unacceptable characters was counted
+in a signed integer, which would overflow to become negative, making it
+easier for an attacker to craft an input string which would cause an
+out-of-bounds write.
+
+Fix that by validating the allocation length, and using an unsigned
+integer to count the number of unacceptable characters.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3827
+---
+ glib/gconvert.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+diff --git a/glib/gconvert.c b/glib/gconvert.c
+index f78cff01d..5f3e49066 100644
+--- a/glib/gconvert.c
+++ b/glib/gconvert.c
+@@ -1378,8 +1378,9 @@ static const gchar hex[16] = "0123456789ABCDEF";
+ /* Note: This escape function works on file: URIs, but if you want to
+  * escape something else, please read RFC-2396 */
+ static gchar *
+-g_escape_uri_string (const gchar *string, 
+-		     UnsafeCharacterSet mask)
+g_escape_uri_string (const gchar         *string,
+                     UnsafeCharacterSet   mask,
+                     GError             **error)
+ {
+ #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
+ 
+@@ -1387,7 +1388,7 @@ g_escape_uri_string (const gchar *string,
+   gchar *q;
+   gchar *result;
+   int c;
+-  gint unacceptable;
+  size_t unacceptable;
+   UnsafeCharacterSet use_mask;
+   
+   g_return_val_if_fail (mask == UNSAFE_ALL
+@@ -1404,7 +1405,14 @@ g_escape_uri_string (const gchar *string,
+       if (!ACCEPTABLE (c)) 
+ 	unacceptable++;
+     }
+-  
+
+  if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
+    {
+      g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
+                           _("The URI is too long"));
+      return NULL;
+    }
+
+   result = g_malloc (p - string + unacceptable * 2 + 1);
+   
+   use_mask = mask;
+@@ -1429,12 +1437,13 @@ g_escape_uri_string (const gchar *string,
+ 
+ 
+ static gchar *
+-g_escape_file_uri (const gchar *hostname,
+-		   const gchar *pathname)
+g_escape_file_uri (const gchar  *hostname,
+                   const gchar  *pathname,
+                   GError      **error)
+ {
+   char *escaped_hostname = NULL;
+-  char *escaped_path;
+-  char *res;
+  char *escaped_path = NULL;
+  char *res = NULL;
+ 
+ #ifdef G_OS_WIN32
+   char *p, *backslash;
+@@ -1455,10 +1464,14 @@ g_escape_file_uri (const gchar *hostname,
+ 
+   if (hostname && *hostname != '\0')
+     {
+-      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
+      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
+      if (escaped_hostname == NULL)
+        goto out;
+     }
+ 
+-  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
+  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
+  if (escaped_path == NULL)
+    goto out;
+ 
+   res = g_strconcat ("file://",
+ 		     (escaped_hostname) ? escaped_hostname : "",
+@@ -1466,6 +1479,7 @@ g_escape_file_uri (const gchar *hostname,
+ 		     escaped_path,
+ 		     NULL);
+ 
+out:
+ #ifdef G_OS_WIN32
+   g_free ((char *) pathname);
+ #endif
+@@ -1785,7 +1799,7 @@ g_filename_to_uri (const gchar *filename,
+     hostname = NULL;
+ #endif
+ 
+-  escaped_uri = g_escape_file_uri (hostname, filename);
+  escaped_uri = g_escape_file_uri (hostname, filename, error);
+ 
+   return escaped_uri;
+ }
+-- 
+2.52.0
+
--- a/SOURCES/gdbusconnection-serial-number-overflow.patch
+++ b/SOURCES/gdbusconnection-serial-number-overflow.patch
--- a/SPECS/glib2.spec
+++ b/SPECS/glib2.spec
@ -1,6 +1,6 @@
 Name: glib2
 Version: 2.68.4
-Release: 18%{?dist}
+Release: 18%{?dist}.1
 Summary: A library of handy utility functions

 License: LGPLv2+
@ -72,7 +72,12 @@ Patch: CVE-2025-4373.patch

 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356
 Patch: gdatetime-test.patch
-Patch: RHEL-114059.patch
+
+# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4470
+Patch: gdbusconnection-serial-number-overflow.patch
+
+# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914
+Patch: CVE-2025-13601.patch

 BuildRequires: chrpath
 BuildRequires: gcc
@ -289,6 +294,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %{_datadir}/installed-tests

 %changelog
+* Mon Jan 19 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.68.4-18.1
+- Add patch for CVE-2025-13601
+
 * Wed Sep 17 2025 RHEL Packaging Agent <jotnar@redhat.com> - 2.68.4-18
 - gdbusconnection: Prevent sending a serial of zero on overflow
 - Resolves: RHEL-114059