From 0b007f7d65b775f7007d603097149b122b305a98 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 23 Jan 2026 06:25:27 +0000 Subject: [PATCH] import UBI glib2-2.68.4-18.el9_7.1 --- SOURCES/CVE-2025-13601.patch | 124 ++++++++++++++++++ ...usconnection-serial-number-overflow.patch} | 0 SPECS/glib2.spec | 12 +- 3 files changed, 134 insertions(+), 2 deletions(-) create mode 100644 SOURCES/CVE-2025-13601.patch rename SOURCES/{RHEL-114059.patch => gdbusconnection-serial-number-overflow.patch} (100%) diff --git a/SOURCES/CVE-2025-13601.patch b/SOURCES/CVE-2025-13601.patch new file mode 100644 index 0000000..c9c1a33 --- /dev/null +++ b/SOURCES/CVE-2025-13601.patch @@ -0,0 +1,124 @@ +From be4f154723a177201a8e81174a230416473bce33 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 13 Nov 2025 18:27:22 +0000 +Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow + +If the string to escape contains a very large number of unacceptable +characters (which would need escaping), the calculation of the length of +the escaped string could overflow, leading to a potential write off the +end of the newly allocated string. + +In addition to that, the number of unacceptable characters was counted +in a signed integer, which would overflow to become negative, making it +easier for an attacker to craft an input string which would cause an +out-of-bounds write. + +Fix that by validating the allocation length, and using an unsigned +integer to count the number of unacceptable characters. + +Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme +from the Sovereign Tech Agency. ID: #YWH-PGM9867-134 + +Signed-off-by: Philip Withnall + +Fixes: #3827 +--- + glib/gconvert.c | 36 +++++++++++++++++++++++++----------- + 1 file changed, 25 insertions(+), 11 deletions(-) + +diff --git a/glib/gconvert.c b/glib/gconvert.c +index f78cff01d..5f3e49066 100644 +--- a/glib/gconvert.c ++++ b/glib/gconvert.c +@@ -1378,8 +1378,9 @@ static const gchar hex[16] = "0123456789ABCDEF"; + /* Note: This escape function works on file: URIs, but if you want to + * escape something else, please read RFC-2396 */ + static gchar * +-g_escape_uri_string (const gchar *string, +- UnsafeCharacterSet mask) ++g_escape_uri_string (const gchar *string, ++ UnsafeCharacterSet mask, ++ GError **error) + { + #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask)) + +@@ -1387,7 +1388,7 @@ g_escape_uri_string (const gchar *string, + gchar *q; + gchar *result; + int c; +- gint unacceptable; ++ size_t unacceptable; + UnsafeCharacterSet use_mask; + + g_return_val_if_fail (mask == UNSAFE_ALL +@@ -1404,7 +1405,14 @@ g_escape_uri_string (const gchar *string, + if (!ACCEPTABLE (c)) + unacceptable++; + } +- ++ ++ if (unacceptable >= (G_MAXSIZE - (p - string)) / 2) ++ { ++ g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI, ++ _("The URI is too long")); ++ return NULL; ++ } ++ + result = g_malloc (p - string + unacceptable * 2 + 1); + + use_mask = mask; +@@ -1429,12 +1437,13 @@ g_escape_uri_string (const gchar *string, + + + static gchar * +-g_escape_file_uri (const gchar *hostname, +- const gchar *pathname) ++g_escape_file_uri (const gchar *hostname, ++ const gchar *pathname, ++ GError **error) + { + char *escaped_hostname = NULL; +- char *escaped_path; +- char *res; ++ char *escaped_path = NULL; ++ char *res = NULL; + + #ifdef G_OS_WIN32 + char *p, *backslash; +@@ -1455,10 +1464,14 @@ g_escape_file_uri (const gchar *hostname, + + if (hostname && *hostname != '\0') + { +- escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST); ++ escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error); ++ if (escaped_hostname == NULL) ++ goto out; + } + +- escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH); ++ escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error); ++ if (escaped_path == NULL) ++ goto out; + + res = g_strconcat ("file://", + (escaped_hostname) ? escaped_hostname : "", +@@ -1466,6 +1479,7 @@ g_escape_file_uri (const gchar *hostname, + escaped_path, + NULL); + ++out: + #ifdef G_OS_WIN32 + g_free ((char *) pathname); + #endif +@@ -1785,7 +1799,7 @@ g_filename_to_uri (const gchar *filename, + hostname = NULL; + #endif + +- escaped_uri = g_escape_file_uri (hostname, filename); ++ escaped_uri = g_escape_file_uri (hostname, filename, error); + + return escaped_uri; + } +-- +2.52.0 + diff --git a/SOURCES/RHEL-114059.patch b/SOURCES/gdbusconnection-serial-number-overflow.patch similarity index 100% rename from SOURCES/RHEL-114059.patch rename to SOURCES/gdbusconnection-serial-number-overflow.patch diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index 3807196..bdb9121 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.68.4 -Release: 18%{?dist} +Release: 18%{?dist}.1 Summary: A library of handy utility functions License: LGPLv2+ @@ -72,7 +72,12 @@ Patch: CVE-2025-4373.patch # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356 Patch: gdatetime-test.patch -Patch: RHEL-114059.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4470 +Patch: gdbusconnection-serial-number-overflow.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914 +Patch: CVE-2025-13601.patch BuildRequires: chrpath BuildRequires: gcc @@ -289,6 +294,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Mon Jan 19 2026 Michael Catanzaro - 2.68.4-18.1 +- Add patch for CVE-2025-13601 + * Wed Sep 17 2025 RHEL Packaging Agent - 2.68.4-18 - gdbusconnection: Prevent sending a serial of zero on overflow - Resolves: RHEL-114059