diff --git a/SOURCES/CVE-2024-52533.patch b/SOURCES/CVE-2024-52533.patch new file mode 100644 index 0000000..c677cfc --- /dev/null +++ b/SOURCES/CVE-2024-52533.patch @@ -0,0 +1,45 @@ +From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb7..b3146d08fd 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +GitLab + diff --git a/SOURCES/CVE-2025-13601.patch b/SOURCES/CVE-2025-13601.patch new file mode 100644 index 0000000..c9c1a33 --- /dev/null +++ b/SOURCES/CVE-2025-13601.patch @@ -0,0 +1,124 @@ +From be4f154723a177201a8e81174a230416473bce33 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 13 Nov 2025 18:27:22 +0000 +Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow + +If the string to escape contains a very large number of unacceptable +characters (which would need escaping), the calculation of the length of +the escaped string could overflow, leading to a potential write off the +end of the newly allocated string. + +In addition to that, the number of unacceptable characters was counted +in a signed integer, which would overflow to become negative, making it +easier for an attacker to craft an input string which would cause an +out-of-bounds write. + +Fix that by validating the allocation length, and using an unsigned +integer to count the number of unacceptable characters. + +Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme +from the Sovereign Tech Agency. ID: #YWH-PGM9867-134 + +Signed-off-by: Philip Withnall + +Fixes: #3827 +--- + glib/gconvert.c | 36 +++++++++++++++++++++++++----------- + 1 file changed, 25 insertions(+), 11 deletions(-) + +diff --git a/glib/gconvert.c b/glib/gconvert.c +index f78cff01d..5f3e49066 100644 +--- a/glib/gconvert.c ++++ b/glib/gconvert.c +@@ -1378,8 +1378,9 @@ static const gchar hex[16] = "0123456789ABCDEF"; + /* Note: This escape function works on file: URIs, but if you want to + * escape something else, please read RFC-2396 */ + static gchar * +-g_escape_uri_string (const gchar *string, +- UnsafeCharacterSet mask) ++g_escape_uri_string (const gchar *string, ++ UnsafeCharacterSet mask, ++ GError **error) + { + #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask)) + +@@ -1387,7 +1388,7 @@ g_escape_uri_string (const gchar *string, + gchar *q; + gchar *result; + int c; +- gint unacceptable; ++ size_t unacceptable; + UnsafeCharacterSet use_mask; + + g_return_val_if_fail (mask == UNSAFE_ALL +@@ -1404,7 +1405,14 @@ g_escape_uri_string (const gchar *string, + if (!ACCEPTABLE (c)) + unacceptable++; + } +- ++ ++ if (unacceptable >= (G_MAXSIZE - (p - string)) / 2) ++ { ++ g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI, ++ _("The URI is too long")); ++ return NULL; ++ } ++ + result = g_malloc (p - string + unacceptable * 2 + 1); + + use_mask = mask; +@@ -1429,12 +1437,13 @@ g_escape_uri_string (const gchar *string, + + + static gchar * +-g_escape_file_uri (const gchar *hostname, +- const gchar *pathname) ++g_escape_file_uri (const gchar *hostname, ++ const gchar *pathname, ++ GError **error) + { + char *escaped_hostname = NULL; +- char *escaped_path; +- char *res; ++ char *escaped_path = NULL; ++ char *res = NULL; + + #ifdef G_OS_WIN32 + char *p, *backslash; +@@ -1455,10 +1464,14 @@ g_escape_file_uri (const gchar *hostname, + + if (hostname && *hostname != '\0') + { +- escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST); ++ escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error); ++ if (escaped_hostname == NULL) ++ goto out; + } + +- escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH); ++ escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error); ++ if (escaped_path == NULL) ++ goto out; + + res = g_strconcat ("file://", + (escaped_hostname) ? escaped_hostname : "", +@@ -1466,6 +1479,7 @@ g_escape_file_uri (const gchar *hostname, + escaped_path, + NULL); + ++out: + #ifdef G_OS_WIN32 + g_free ((char *) pathname); + #endif +@@ -1785,7 +1799,7 @@ g_filename_to_uri (const gchar *filename, + hostname = NULL; + #endif + +- escaped_uri = g_escape_file_uri (hostname, filename); ++ escaped_uri = g_escape_file_uri (hostname, filename, error); + + return escaped_uri; + } +-- +2.52.0 + diff --git a/SOURCES/CVE-2025-4373.patch b/SOURCES/CVE-2025-4373.patch new file mode 100644 index 0000000..7f83d9d --- /dev/null +++ b/SOURCES/CVE-2025-4373.patch @@ -0,0 +1,140 @@ +From cc647f9e46d55509a93498af19659baf9c80f2e3 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 10 Apr 2025 10:57:20 -0500 +Subject: [PATCH] gstring: carefully handle gssize parameters + +Wherever we use gssize to allow passing -1, we need to ensure we don't +overflow the value by assigning a gsize to it without checking if the +size exceeds the maximum gssize. The safest way to do this is to just +use normal gsize everywhere instead and use gssize only for the +parameter. + +Our computers don't have enough RAM to write tests for this. I tried +forcing string->len to high values for test purposes, but this isn't +valid and will just cause out of bounds reads/writes due to +string->allocated_len being unexpectedly small, so I don't think we can +test this easily. +--- + glib/gstring.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index 5279ed3cca..d79a4849c0 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -480,8 +480,9 @@ g_string_insert_len (GString *string, + return string; + + if (len < 0) +- len = strlen (val); +- len_unsigned = len; ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + + if (pos < 0) + pos_unsigned = string->len; +@@ -778,10 +779,12 @@ g_string_insert_c (GString *string, + g_string_maybe_expand (string, 1); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); +- pos_unsigned = pos; ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ + if (pos_unsigned < string->len) +@@ -814,6 +817,7 @@ g_string_insert_unichar (GString *string, + gssize pos, + gunichar wc) + { ++ gsize pos_unsigned; + gint charlen, first, i; + gchar *dest; + +@@ -855,15 +859,18 @@ g_string_insert_unichar (GString *string, + g_string_maybe_expand (string, charlen); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ +- if ((gsize) pos < string->len) +- memmove (string->str + pos + charlen, string->str + pos, string->len - pos); ++ if (pos_unsigned < string->len) ++ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned); + +- dest = string->str + pos; ++ dest = string->str + pos_unsigned; + /* Code copied from g_unichar_to_utf() */ + for (i = charlen - 1; i > 0; --i) + { +@@ -921,6 +928,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { ++ gssize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +@@ -932,14 +940,16 @@ g_string_overwrite_len (GString *string, + g_return_val_if_fail (pos <= string->len, string); + + if (len < 0) +- len = strlen (val); ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + +- end = pos + len; ++ end = pos + len_unsigned; + + if (end > string->len) + g_string_maybe_expand (string, end - string->len); + +- memcpy (string->str + pos, val, len); ++ memcpy (string->str + pos, val, len_unsigned); + + if (end > string->len) + { +-- +GitLab +From 089070bf53807ad2a81bc0b014ad19016fada2a5 Mon Sep 17 00:00:00 2001 +From: Peter Bloomfield +Date: Thu, 10 Apr 2025 22:12:49 -0400 +Subject: [PATCH] gstring: Make len_unsigned unsigned + +Declare `len_unsigned` as `gsize` instead of `gssize`. +--- + glib/gstring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index d79a4849c0..2a399ee21f 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -928,7 +928,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { +- gssize len_unsigned; ++ gsize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +-- +GitLab + diff --git a/SOURCES/gdatetime-test.patch b/SOURCES/gdatetime-test.patch new file mode 100644 index 0000000..58d78e2 --- /dev/null +++ b/SOURCES/gdatetime-test.patch @@ -0,0 +1,187 @@ +From e608f34a060f2def4afeefc6e54b3189e6a82393 Mon Sep 17 00:00:00 2001 +From: "Rebecca N. Palmer" +Date: Fri, 11 Oct 2024 09:38:52 +0100 +Subject: [PATCH 1/3] gdatetime test: Do not assume PST8PDT was always exactly + -8/-7 + +In newer tzdata, it is an alias for America/Los_Angeles, which has a +slightly different meaning: DST did not exist there before 1883. As a +result, we can no longer hard-code the knowledge that interval 0 is +standard time and interval 1 is summer time, and instead we need to look +up the correct intervals from known timestamps. + +Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/3502 +Bug-Debian: https://bugs.debian.org/1084190 +[smcv: expand commit message, fix whitespace] +Signed-off-by: Simon McVittie +--- + glib/tests/gdatetime.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index bc4eba93a..2697e3caa 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -2475,6 +2475,7 @@ test_posix_parse (void) + { + GTimeZone *tz; + GDateTime *gdt1, *gdt2; ++ gint i1, i2; + + /* Check that an unknown zone name falls back to UTC. */ + G_GNUC_BEGIN_IGNORE_DEPRECATIONS +@@ -2498,16 +2499,25 @@ test_posix_parse (void) + + /* This fails rules_from_identifier on Unix (though not on Windows) + * but passes anyway because PST8PDT is a zone name. ++ * ++ * Intervals i1 and i2 (rather than 0 and 1) are needed because in ++ * recent tzdata, PST8PDT may be an alias for America/Los_Angeles, ++ * and hence be aware that DST has not always existed. ++ * https://bugs.debian.org/1084190 + */ + tz = g_time_zone_new_identifier ("PST8PDT"); + g_assert_nonnull (tz); + g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT"); +- g_assert_cmpstr (g_time_zone_get_abbreviation (tz, 0), ==, "PST"); +- g_assert_cmpint (g_time_zone_get_offset (tz, 0), ==, - 8 * 3600); +- g_assert (!g_time_zone_is_dst (tz, 0)); +- g_assert_cmpstr (g_time_zone_get_abbreviation (tz, 1), ==, "PDT"); +- g_assert_cmpint (g_time_zone_get_offset (tz, 1), ==,- 7 * 3600); +- g_assert (g_time_zone_is_dst (tz, 1)); ++ /* a date in winter = non-DST */ ++ i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, 0); ++ /* approximately 6 months in seconds, i.e. a date in summer = DST */ ++ i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, 15000000); ++ g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i1), ==, "PST"); ++ g_assert_cmpint (g_time_zone_get_offset (tz, i1), ==, - 8 * 3600); ++ g_assert (!g_time_zone_is_dst (tz, i1)); ++ g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i2), ==, "PDT"); ++ g_assert_cmpint (g_time_zone_get_offset (tz, i2), ==,- 7 * 3600); ++ g_assert (g_time_zone_is_dst (tz, i2)); + g_time_zone_unref (tz); + + tz = g_time_zone_new_identifier ("PST8PDT6:32:15"); +-- +2.50.0 + + +From a2a6ca391d16e76f74fe28f2bf33fecd0ded1293 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 18 Oct 2024 11:03:19 +0100 +Subject: [PATCH 2/3] gdatetime test: Try to make PST8PDT test more obviously + correct + +Instead of using timestamp 0 as a magic number (in this case interpreted +as 1970-01-01T00:00:00-08:00), calculate a timestamp from a recent +year/month/day in winter, in this case 2024-01-01T00:00:00-08:00. + +Similarly, instead of using a timestamp 15 million seconds later +(1970-06-23T15:40:00-07:00), calculate a timestamp from a recent +year/month/day in summer, in this case 2024-07-01T00:00:00-07:00. + +Signed-off-by: Simon McVittie +--- + glib/tests/gdatetime.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 2697e3caa..676951cce 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -2499,19 +2499,16 @@ test_posix_parse (void) + + /* This fails rules_from_identifier on Unix (though not on Windows) + * but passes anyway because PST8PDT is a zone name. +- * +- * Intervals i1 and i2 (rather than 0 and 1) are needed because in +- * recent tzdata, PST8PDT may be an alias for America/Los_Angeles, +- * and hence be aware that DST has not always existed. +- * https://bugs.debian.org/1084190 + */ + tz = g_time_zone_new_identifier ("PST8PDT"); + g_assert_nonnull (tz); + g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT"); + /* a date in winter = non-DST */ +- i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, 0); +- /* approximately 6 months in seconds, i.e. a date in summer = DST */ +- i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, 15000000); ++ gdt1 = g_date_time_new (tz, 2024, 1, 1, 0, 0, 0); ++ i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, g_date_time_to_unix (gdt1)); ++ /* a date in summer = DST */ ++ gdt2 = g_date_time_new (tz, 2024, 7, 1, 0, 0, 0); ++ i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, g_date_time_to_unix (gdt2)); + g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i1), ==, "PST"); + g_assert_cmpint (g_time_zone_get_offset (tz, i1), ==, - 8 * 3600); + g_assert (!g_time_zone_is_dst (tz, i1)); +@@ -2519,6 +2516,8 @@ test_posix_parse (void) + g_assert_cmpint (g_time_zone_get_offset (tz, i2), ==,- 7 * 3600); + g_assert (g_time_zone_is_dst (tz, i2)); + g_time_zone_unref (tz); ++ g_date_time_unref (gdt1); ++ g_date_time_unref (gdt2); + + tz = g_time_zone_new_identifier ("PST8PDT6:32:15"); + #ifdef G_OS_WIN32 +-- +2.50.0 + + +From 345a41982e7237f72e88b4ade951320df52553b2 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 18 Oct 2024 11:23:42 +0100 +Subject: [PATCH 3/3] gdatetime test: Fall back if legacy System V PST8PDT is + not available + +On recent versions of Debian, PST8PDT is part of the tzdata-legacy +package, which is not always installed and might disappear in future. +Successfully tested with and without tzdata-legacy on Debian unstable. + +Signed-off-by: Simon McVittie +--- + glib/tests/gdatetime.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 676951cce..7512389e0 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -2476,6 +2476,7 @@ test_posix_parse (void) + GTimeZone *tz; + GDateTime *gdt1, *gdt2; + gint i1, i2; ++ const char *expect_id; + + /* Check that an unknown zone name falls back to UTC. */ + G_GNUC_BEGIN_IGNORE_DEPRECATIONS +@@ -2498,11 +2499,25 @@ test_posix_parse (void) + g_time_zone_unref (tz); + + /* This fails rules_from_identifier on Unix (though not on Windows) +- * but passes anyway because PST8PDT is a zone name. ++ * but can pass anyway because PST8PDT is a legacy System V zone name. + */ + tz = g_time_zone_new_identifier ("PST8PDT"); ++ expect_id = "PST8PDT"; ++ ++#ifndef G_OS_WIN32 ++ /* PST8PDT is in tzdata's "backward" set, packaged as tzdata-legacy and ++ * not always present in some OSs; fall back to the equivalent geographical ++ * name if the "backward" time zones are absent. */ ++ if (tz == NULL) ++ { ++ g_test_message ("Legacy PST8PDT time zone not available, falling back"); ++ tz = g_time_zone_new_identifier ("America/Los_Angeles"); ++ expect_id = "America/Los_Angeles"; ++ } ++#endif ++ + g_assert_nonnull (tz); +- g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT"); ++ g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, expect_id); + /* a date in winter = non-DST */ + gdt1 = g_date_time_new (tz, 2024, 1, 1, 0, 0, 0); + i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, g_date_time_to_unix (gdt1)); +-- +2.50.0 + diff --git a/SOURCES/gdbusconnection-serial-number-overflow.patch b/SOURCES/gdbusconnection-serial-number-overflow.patch new file mode 100644 index 0000000..fa7c094 --- /dev/null +++ b/SOURCES/gdbusconnection-serial-number-overflow.patch @@ -0,0 +1,70 @@ +From 95f006a2d14fcc41c0b1823d07e2b8b871195548 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Mon, 3 Feb 2025 18:27:21 +0000 +Subject: [PATCH] gdbusconnection: Prevent sending a serial of zero on overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It finally happened: someone managed to keep a process alive long +enough, and using a single `GDBusConnection`, to overflow the +`last_serial` counter in the connection and send an invalid message with +serial of zero (which is disallowed by the D-Bus specification). + +Avoid that happening in future by skipping serials of zero on overflow, +and wrapping straight back around to 1. + +This looks a little more confusing than it is, because `last_serial` is +pre-incremented on use, so to skip zero, we explicitly set it to zero. +This is exactly what happens when the `GDBusConnection` is initialised +anyway. + +I can’t think of a way to add a unit test for this — there is no way to +affect the value of `last_serial` except by sending messages (each one +increments it), and in order to get it to overflow by sending messages +at 1kHz, the test would have to run for 49 days. + +Instead, I tested this manually by temporarily modifying +`GDBusConnection` to initialise `last_serial` to `G_MAXUINT32 - 3`, then +checked that the unit tests all still passed, and that the overflow code +was being executed. + +Signed-off-by: Philip Withnall + +Fixes: #3592 +--- + gio/gdbusconnection.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index 348b5b9..96faaa1 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -1794,9 +1794,22 @@ g_dbus_connection_send_message_unlocked (GDBusConnection *connection, + goto out; + + if (flags & G_DBUS_SEND_MESSAGE_FLAGS_PRESERVE_SERIAL) +- serial_to_use = g_dbus_message_get_serial (message); ++ { ++ serial_to_use = g_dbus_message_get_serial (message); ++ } + else +- serial_to_use = ++connection->last_serial; /* TODO: handle overflow */ ++ { ++ /* The serial_to_use must not be zero, as per ++ * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages. */ ++ if (connection->last_serial == G_MAXUINT32) ++ connection->last_serial = 1; ++ else ++ connection->last_serial++; ++ ++ serial_to_use = connection->last_serial; ++ } ++ ++ g_assert (serial_to_use != 0); + + switch (blob[0]) + { +-- +2.47.3 + diff --git a/SOURCES/gunixmount-improvements.patch b/SOURCES/gunixmount-improvements.patch new file mode 100644 index 0000000..de2a200 --- /dev/null +++ b/SOURCES/gunixmount-improvements.patch @@ -0,0 +1,510 @@ +From 704d650e4d43d8d563358fd75d80a5d97ce91127 Mon Sep 17 00:00:00 2001 +From: Christian Hergert +Date: Fri, 21 Nov 2025 12:31:13 -0800 +Subject: [PATCH 1/5] gio/gunixmounts: mark some file-system types as system + +Since this list was originally created, more file system types have +become commonly used and would benefit from being marked as a system +file-system type. + +This was found while tracking down some performance issues in +gnome-settings-daemon trash handling. +--- + gio/gunixmounts.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/gio/gunixmounts.c b/gio/gunixmounts.c +index 6abe87414..67bf3d36d 100644 +--- a/gio/gunixmounts.c ++++ b/gio/gunixmounts.c +@@ -319,6 +319,8 @@ g_unix_is_system_fs_type (const char *fs_type) + "auto", + "autofs", + "autofs4", ++ "binfmt_misc", ++ "bpf", + "cgroup", + "configfs", + "cxfs", +@@ -327,6 +329,7 @@ g_unix_is_system_fs_type (const char *fs_type) + "devpts", + "devtmpfs", + "ecryptfs", ++ "efivarfs", + "fdescfs", + "fusectl", + "gfs", +@@ -355,6 +358,7 @@ g_unix_is_system_fs_type (const char *fs_type) + "selinuxfs", + "sysfs", + "tmpfs", ++ "tracefs", + "usbfs", + NULL + }; +-- +2.52.0 + + +From d01e214e82774f25dde3523ca23ca09b8ab563f9 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 1 Dec 2025 15:36:02 +0100 +Subject: [PATCH 2/5] gio/gunixmounts: Mark more file systems as system + internal + +The commit f1a90a67 updated list of system internal file systems. +I think we can add a few more file systems (i.e. `cgroups2`, +`fuse.gvfsd-fuse`, `fuse.portal`) and `/bin/efi` path. This is to +improve performance of `gvfsd-trash`, `gsd-houskeeping` and similar. + +Related: https://gitlab.gnome.org/GNOME/gvfs/-/issues/814 +--- + gio/gunixmounts.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/gio/gunixmounts.c b/gio/gunixmounts.c +index 67bf3d36d..2229e26f5 100644 +--- a/gio/gunixmounts.c ++++ b/gio/gunixmounts.c +@@ -240,6 +240,7 @@ g_unix_is_mount_path_system_internal (const char *mount_path) + */ + "/", /* we already have "Filesystem root" in Nautilus */ + "/bin", ++ "/bin/efi", + "/boot", + "/compat/linux/proc", + "/compat/linux/sys", +@@ -322,6 +323,7 @@ g_unix_is_system_fs_type (const char *fs_type) + "binfmt_misc", + "bpf", + "cgroup", ++ "cgroup2", + "configfs", + "cxfs", + "debugfs", +@@ -331,6 +333,8 @@ g_unix_is_system_fs_type (const char *fs_type) + "ecryptfs", + "efivarfs", + "fdescfs", ++ "fuse.gvfsd-fuse", ++ "fuse.portal", + "fusectl", + "gfs", + "gfs2", +-- +2.52.0 + + +From 2178d97df4c797e535211410cde4b2d184e77113 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Wed, 3 Dec 2025 10:02:15 +0100 +Subject: [PATCH 3/5] gio/gunixmounts: Replace /bin/efi with /boot/efi + +The commit 06e9f2c0 added `/bin/efi` instead of `/boot/efi` to the +list of system internal mount paths by mistake. Let's fix it. +--- + gio/gunixmounts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gio/gunixmounts.c b/gio/gunixmounts.c +index 2229e26f5..b43382981 100644 +--- a/gio/gunixmounts.c ++++ b/gio/gunixmounts.c +@@ -240,8 +240,8 @@ g_unix_is_mount_path_system_internal (const char *mount_path) + */ + "/", /* we already have "Filesystem root" in Nautilus */ + "/bin", +- "/bin/efi", + "/boot", ++ "/boot/efi", + "/compat/linux/proc", + "/compat/linux/sys", + "/dev", +-- +2.52.0 + + +From e50947c3d432b823a164f2712ec00b0f0919d957 Mon Sep 17 00:00:00 2001 +From: Christian Hergert +Date: Fri, 21 Nov 2025 18:54:33 -0800 +Subject: [PATCH 4/5] gio/unixmounts: use bsearch() to check for set inclusion + +This turns out to be about 17% faster than the previous set comparisons +on large (in the thousands) /proc/mounts configurations. It does require +that we keep the lists sorted but ended up faster than gperf hashing. +--- + gio/gunixmounts.c | 59 +++++++++++++++++++++++++---------------------- + 1 file changed, 31 insertions(+), 28 deletions(-) + +diff --git a/gio/gunixmounts.c b/gio/gunixmounts.c +index b43382981..d659e9fb5 100644 +--- a/gio/gunixmounts.c ++++ b/gio/gunixmounts.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -207,16 +208,17 @@ static GSource *proc_mounts_watch_source; + static struct libmnt_monitor *proc_mounts_monitor = NULL; + #endif + ++static int ++compare_str (const char * key, ++ const char * const *element) ++{ ++ return strcmp (key, *element); ++} ++ + static gboolean +-is_in (const char *value, const char *set[]) ++is_in (const char *value, const char *set[], gsize set_size) + { +- int i; +- for (i = 0; set[i] != NULL; i++) +- { +- if (strcmp (set[i], value) == 0) +- return TRUE; +- } +- return FALSE; ++ return bsearch (value, set, set_size, sizeof (char *), (GCompareFunc)compare_str) != NULL; + } + + /** +@@ -234,11 +236,12 @@ is_in (const char *value, const char *set[]) + gboolean + g_unix_is_mount_path_system_internal (const char *mount_path) + { ++ /* keep sorted for bsearch */ + const char *ignore_mountpoints[] = { + /* Includes all FHS 2.3 toplevel dirs and other specialized + * directories that we want to hide from the user. + */ +- "/", /* we already have "Filesystem root" in Nautilus */ ++ "/", /* we already have "Filesystem root" in Nautilus */ + "/bin", + "/boot", + "/boot/efi", +@@ -254,11 +257,15 @@ g_unix_is_mount_path_system_internal (const char *mount_path) + "/live/image", + "/media", + "/mnt", ++ "/net", + "/opt", ++ "/proc", + "/rescue", + "/root", + "/sbin", ++ "/sbin", + "/srv", ++ "/sys", + "/tmp", + "/usr", + "/usr/X11R6", +@@ -275,16 +282,16 @@ g_unix_is_mount_path_system_internal (const char *mount_path) + "/var/mail", + "/var/run", + "/var/tmp", /* https://bugzilla.redhat.com/show_bug.cgi?id=335241 */ +- "/proc", +- "/sbin", +- "/net", +- "/sys", +- NULL + }; + +- if (is_in (mount_path, ignore_mountpoints)) ++ if (is_in (mount_path, ignore_mountpoints, G_N_ELEMENTS (ignore_mountpoints))) + return TRUE; +- ++ ++ /* Kept separate from sorted list as they may vary */ ++ if (g_str_equal ("/var", mount_path) || ++ g_str_equal ("/run", mount_path)) ++ return TRUE; ++ + if (g_str_has_prefix (mount_path, "/dev/") || + g_str_has_prefix (mount_path, "/proc/") || + g_str_has_prefix (mount_path, "/sys/")) +@@ -314,14 +321,13 @@ g_unix_is_mount_path_system_internal (const char *mount_path) + gboolean + g_unix_is_system_fs_type (const char *fs_type) + { ++ /* keep sorted for bsearch */ + const char *ignore_fs[] = { + "adfs", + "afs", + "auto", + "autofs", + "autofs4", +- "binfmt_misc", +- "bpf", + "cgroup", + "cgroup2", + "configfs", +@@ -331,7 +337,6 @@ g_unix_is_system_fs_type (const char *fs_type) + "devpts", + "devtmpfs", + "ecryptfs", +- "efivarfs", + "fdescfs", + "fuse.gvfsd-fuse", + "fuse.portal", +@@ -362,14 +367,12 @@ g_unix_is_system_fs_type (const char *fs_type) + "selinuxfs", + "sysfs", + "tmpfs", +- "tracefs", + "usbfs", +- NULL + }; + + g_return_val_if_fail (fs_type != NULL && *fs_type != '\0', FALSE); + +- return is_in (fs_type, ignore_fs); ++ return is_in (fs_type, ignore_fs, G_N_ELEMENTS (ignore_fs)); + } + + /** +@@ -391,19 +394,19 @@ g_unix_is_system_fs_type (const char *fs_type) + gboolean + g_unix_is_system_device_path (const char *device_path) + { ++ /* keep sorted for bsearch */ + const char *ignore_devices[] = { +- "none", +- "sunrpc", +- "devpts", +- "nfsd", + "/dev/loop", + "/dev/vn", +- NULL ++ "devpts", ++ "nfsd", ++ "none", ++ "sunrpc", + }; + + g_return_val_if_fail (device_path != NULL && *device_path != '\0', FALSE); + +- return is_in (device_path, ignore_devices); ++ return is_in (device_path, ignore_devices, G_N_ELEMENTS (ignore_devices)); + } + + static gboolean +-- +2.52.0 + + +From dcc5d5e1ac3c8c80a5d7358c9162645614e9fe85 Mon Sep 17 00:00:00 2001 +From: Christian Hergert +Date: Tue, 6 Jan 2026 10:56:59 -0800 +Subject: [PATCH 5/5] gio/unixmounts: test that mounts are in sorted order + +--- + gio/gunixmounts-private.h | 69 +++++++++++++++++++++++++++++++++++++++ + gio/gunixmounts.c | 51 ++--------------------------- + gio/tests/unix-mounts.c | 26 +++++++++++++++ + 3 files changed, 97 insertions(+), 49 deletions(-) + create mode 100644 gio/gunixmounts-private.h + +diff --git a/gio/gunixmounts-private.h b/gio/gunixmounts-private.h +new file mode 100644 +index 000000000..196e81aca +--- /dev/null ++++ b/gio/gunixmounts-private.h +@@ -0,0 +1,69 @@ ++/* GIO - GLib Input, Output and Streaming Library ++ * ++ * Copyright 2006-2007 Red Hat, Inc. ++ * Copyright 2026 Christian Hergert ++ * ++ * SPDX-License-Identifier: LGPL-2.1-or-later ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General ++ * Public License along with this library; if not, see . ++ */ ++ ++#pragma once ++ ++/* keep sorted for bsearch */ ++static const char *system_mount_paths[] = { ++ /* Includes all FHS 2.3 toplevel dirs and other specialized ++ * directories that we want to hide from the user. ++ */ ++ "/", /* we already have "Filesystem root" in Nautilus */ ++ "/bin", ++ "/boot", ++ "/compat/linux/proc", ++ "/compat/linux/sys", ++ "/dev", ++ "/etc", ++ "/home", ++ "/lib", ++ "/lib64", ++ "/libexec", ++ "/live/cow", ++ "/live/image", ++ "/media", ++ "/mnt", ++ "/net", ++ "/opt", ++ "/proc", ++ "/rescue", ++ "/root", ++ "/sbin", ++ "/sbin", ++ "/srv", ++ "/sys", ++ "/tmp", ++ "/usr", ++ "/usr/X11R6", ++ "/usr/local", ++ "/usr/obj", ++ "/usr/ports", ++ "/usr/src", ++ "/usr/xobj", ++ "/var", ++ "/var/crash", ++ "/var/local", ++ "/var/log", ++ "/var/log/audit", /* https://bugzilla.redhat.com/show_bug.cgi?id=333041 */ ++ "/var/mail", ++ "/var/run", ++ "/var/tmp", /* https://bugzilla.redhat.com/show_bug.cgi?id=335241 */ ++}; +diff --git a/gio/gunixmounts.c b/gio/gunixmounts.c +index d659e9fb5..0ddecf966 100644 +--- a/gio/gunixmounts.c ++++ b/gio/gunixmounts.c +@@ -65,6 +65,7 @@ + #endif + + #include "gunixmounts.h" ++#include "gunixmounts-private.h" + #include "gfile.h" + #include "gfilemonitor.h" + #include "glibintl.h" +@@ -236,55 +237,7 @@ is_in (const char *value, const char *set[], gsize set_size) + gboolean + g_unix_is_mount_path_system_internal (const char *mount_path) + { +- /* keep sorted for bsearch */ +- const char *ignore_mountpoints[] = { +- /* Includes all FHS 2.3 toplevel dirs and other specialized +- * directories that we want to hide from the user. +- */ +- "/", /* we already have "Filesystem root" in Nautilus */ +- "/bin", +- "/boot", +- "/boot/efi", +- "/compat/linux/proc", +- "/compat/linux/sys", +- "/dev", +- "/etc", +- "/home", +- "/lib", +- "/lib64", +- "/libexec", +- "/live/cow", +- "/live/image", +- "/media", +- "/mnt", +- "/net", +- "/opt", +- "/proc", +- "/rescue", +- "/root", +- "/sbin", +- "/sbin", +- "/srv", +- "/sys", +- "/tmp", +- "/usr", +- "/usr/X11R6", +- "/usr/local", +- "/usr/obj", +- "/usr/ports", +- "/usr/src", +- "/usr/xobj", +- "/var", +- "/var/crash", +- "/var/local", +- "/var/log", +- "/var/log/audit", /* https://bugzilla.redhat.com/show_bug.cgi?id=333041 */ +- "/var/mail", +- "/var/run", +- "/var/tmp", /* https://bugzilla.redhat.com/show_bug.cgi?id=335241 */ +- }; +- +- if (is_in (mount_path, ignore_mountpoints, G_N_ELEMENTS (ignore_mountpoints))) ++ if (is_in (mount_path, system_mount_paths, G_N_ELEMENTS (system_mount_paths))) + return TRUE; + + /* Kept separate from sorted list as they may vary */ +diff --git a/gio/tests/unix-mounts.c b/gio/tests/unix-mounts.c +index 67b8c8d98..ab4aaa23e 100644 +--- a/gio/tests/unix-mounts.c ++++ b/gio/tests/unix-mounts.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "../gunixmounts-private.h" ++ + static void + test_is_system_fs_type (void) + { +@@ -48,6 +50,29 @@ test_is_system_device_path (void) + g_assert_false (g_unix_is_system_device_path ("/")); + } + ++static void ++test_system_mount_paths_sorted (void) ++{ ++ size_t i; ++ size_t n_paths = G_N_ELEMENTS (system_mount_paths); ++ ++ g_test_summary ("Verify that system_mount_paths array is sorted for bsearch"); ++ ++ for (i = 1; i < n_paths; i++) ++ { ++ int cmp = strcmp (system_mount_paths[i - 1], system_mount_paths[i]); ++ if (cmp > 0) ++ { ++ g_fprintf (stderr, "system_mount_paths array is not sorted: " ++ "\"%s\" should come before \"%s\"", ++ system_mount_paths[i - 1], ++ system_mount_paths[i]); ++ g_test_fail (); ++ return; ++ } ++ } ++} ++ + int + main (int argc, + char *argv[]) +@@ -58,6 +83,7 @@ main (int argc, + + g_test_add_func ("/unix-mounts/is-system-fs-type", test_is_system_fs_type); + g_test_add_func ("/unix-mounts/is-system-device-path", test_is_system_device_path); ++ g_test_add_func ("/unix-mounts/system-mount-paths-sorted", test_system_mount_paths_sorted); + + return g_test_run (); + } +-- +2.52.0 + diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index f8c7941..befdfd5 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.68.4 -Release: 16%{?dist} +Release: 19%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -63,6 +63,28 @@ Patch: 4038.patch # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4155 Patch: 4155.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4281 +Patch: CVE-2024-52533.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4592 +Patch: CVE-2025-4373.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356 +Patch: gdatetime-test.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4470 +Patch: gdbusconnection-serial-number-overflow.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914 +Patch: CVE-2025-13601.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4916 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4918 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4930 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4931 +Patch: gunixmount-improvements.patch + BuildRequires: chrpath BuildRequires: gcc BuildRequires: gcc-c++ @@ -278,6 +300,20 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Mon Jan 19 2026 Michael Catanzaro - 2.68.4-19 +- Add patch for CVE-2025-13601 +- Fix GUnixMount issues + +* Wed Sep 17 2025 RHEL Packaging Agent - 2.68.4-18 +- gdbusconnection: Prevent sending a serial of zero on overflow +- Resolves: RHEL-114059 + +* Fri Jul 11 2025 Michael Catanzaro - 2.68.4-17 +- Add patches for CVE-2024-52533 and CVE-2025-4373 +- Update GDateTime test for new tzdata +- Resolves: RHEL-94483 +- Resolves: RHEL-102844 + * Thu Sep 26 2024 Ondrej Holy - 2.68.4-16 - Add support for x-gvfs-trash mount option - Resolves: RHEL-52360