From a6593b204c927beb687fac8c88b4213ce6846f56 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 15 Jul 2025 14:32:47 +0000 Subject: [PATCH] import UBI glib2-2.68.4-16.el9_6.2 --- SOURCES/CVE-2024-52533.patch | 45 +++++++++ SOURCES/CVE-2025-4373.patch | 140 ++++++++++++++++++++++++++ SOURCES/gdatetime-test.patch | 187 +++++++++++++++++++++++++++++++++++ SPECS/glib2.spec | 19 +++- 4 files changed, 390 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2024-52533.patch create mode 100644 SOURCES/CVE-2025-4373.patch create mode 100644 SOURCES/gdatetime-test.patch diff --git a/SOURCES/CVE-2024-52533.patch b/SOURCES/CVE-2024-52533.patch new file mode 100644 index 0000000..c677cfc --- /dev/null +++ b/SOURCES/CVE-2024-52533.patch @@ -0,0 +1,45 @@ +From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb7..b3146d08fd 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +GitLab + diff --git a/SOURCES/CVE-2025-4373.patch b/SOURCES/CVE-2025-4373.patch new file mode 100644 index 0000000..7f83d9d --- /dev/null +++ b/SOURCES/CVE-2025-4373.patch @@ -0,0 +1,140 @@ +From cc647f9e46d55509a93498af19659baf9c80f2e3 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 10 Apr 2025 10:57:20 -0500 +Subject: [PATCH] gstring: carefully handle gssize parameters + +Wherever we use gssize to allow passing -1, we need to ensure we don't +overflow the value by assigning a gsize to it without checking if the +size exceeds the maximum gssize. The safest way to do this is to just +use normal gsize everywhere instead and use gssize only for the +parameter. + +Our computers don't have enough RAM to write tests for this. I tried +forcing string->len to high values for test purposes, but this isn't +valid and will just cause out of bounds reads/writes due to +string->allocated_len being unexpectedly small, so I don't think we can +test this easily. +--- + glib/gstring.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index 5279ed3cca..d79a4849c0 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -480,8 +480,9 @@ g_string_insert_len (GString *string, + return string; + + if (len < 0) +- len = strlen (val); +- len_unsigned = len; ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + + if (pos < 0) + pos_unsigned = string->len; +@@ -778,10 +779,12 @@ g_string_insert_c (GString *string, + g_string_maybe_expand (string, 1); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); +- pos_unsigned = pos; ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ + if (pos_unsigned < string->len) +@@ -814,6 +817,7 @@ g_string_insert_unichar (GString *string, + gssize pos, + gunichar wc) + { ++ gsize pos_unsigned; + gint charlen, first, i; + gchar *dest; + +@@ -855,15 +859,18 @@ g_string_insert_unichar (GString *string, + g_string_maybe_expand (string, charlen); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ +- if ((gsize) pos < string->len) +- memmove (string->str + pos + charlen, string->str + pos, string->len - pos); ++ if (pos_unsigned < string->len) ++ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned); + +- dest = string->str + pos; ++ dest = string->str + pos_unsigned; + /* Code copied from g_unichar_to_utf() */ + for (i = charlen - 1; i > 0; --i) + { +@@ -921,6 +928,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { ++ gssize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +@@ -932,14 +940,16 @@ g_string_overwrite_len (GString *string, + g_return_val_if_fail (pos <= string->len, string); + + if (len < 0) +- len = strlen (val); ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + +- end = pos + len; ++ end = pos + len_unsigned; + + if (end > string->len) + g_string_maybe_expand (string, end - string->len); + +- memcpy (string->str + pos, val, len); ++ memcpy (string->str + pos, val, len_unsigned); + + if (end > string->len) + { +-- +GitLab +From 089070bf53807ad2a81bc0b014ad19016fada2a5 Mon Sep 17 00:00:00 2001 +From: Peter Bloomfield +Date: Thu, 10 Apr 2025 22:12:49 -0400 +Subject: [PATCH] gstring: Make len_unsigned unsigned + +Declare `len_unsigned` as `gsize` instead of `gssize`. +--- + glib/gstring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index d79a4849c0..2a399ee21f 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -928,7 +928,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { +- gssize len_unsigned; ++ gsize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +-- +GitLab + diff --git a/SOURCES/gdatetime-test.patch b/SOURCES/gdatetime-test.patch new file mode 100644 index 0000000..58d78e2 --- /dev/null +++ b/SOURCES/gdatetime-test.patch @@ -0,0 +1,187 @@ +From e608f34a060f2def4afeefc6e54b3189e6a82393 Mon Sep 17 00:00:00 2001 +From: "Rebecca N. Palmer" +Date: Fri, 11 Oct 2024 09:38:52 +0100 +Subject: [PATCH 1/3] gdatetime test: Do not assume PST8PDT was always exactly + -8/-7 + +In newer tzdata, it is an alias for America/Los_Angeles, which has a +slightly different meaning: DST did not exist there before 1883. As a +result, we can no longer hard-code the knowledge that interval 0 is +standard time and interval 1 is summer time, and instead we need to look +up the correct intervals from known timestamps. + +Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/3502 +Bug-Debian: https://bugs.debian.org/1084190 +[smcv: expand commit message, fix whitespace] +Signed-off-by: Simon McVittie +--- + glib/tests/gdatetime.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index bc4eba93a..2697e3caa 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -2475,6 +2475,7 @@ test_posix_parse (void) + { + GTimeZone *tz; + GDateTime *gdt1, *gdt2; ++ gint i1, i2; + + /* Check that an unknown zone name falls back to UTC. */ + G_GNUC_BEGIN_IGNORE_DEPRECATIONS +@@ -2498,16 +2499,25 @@ test_posix_parse (void) + + /* This fails rules_from_identifier on Unix (though not on Windows) + * but passes anyway because PST8PDT is a zone name. ++ * ++ * Intervals i1 and i2 (rather than 0 and 1) are needed because in ++ * recent tzdata, PST8PDT may be an alias for America/Los_Angeles, ++ * and hence be aware that DST has not always existed. ++ * https://bugs.debian.org/1084190 + */ + tz = g_time_zone_new_identifier ("PST8PDT"); + g_assert_nonnull (tz); + g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT"); +- g_assert_cmpstr (g_time_zone_get_abbreviation (tz, 0), ==, "PST"); +- g_assert_cmpint (g_time_zone_get_offset (tz, 0), ==, - 8 * 3600); +- g_assert (!g_time_zone_is_dst (tz, 0)); +- g_assert_cmpstr (g_time_zone_get_abbreviation (tz, 1), ==, "PDT"); +- g_assert_cmpint (g_time_zone_get_offset (tz, 1), ==,- 7 * 3600); +- g_assert (g_time_zone_is_dst (tz, 1)); ++ /* a date in winter = non-DST */ ++ i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, 0); ++ /* approximately 6 months in seconds, i.e. a date in summer = DST */ ++ i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, 15000000); ++ g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i1), ==, "PST"); ++ g_assert_cmpint (g_time_zone_get_offset (tz, i1), ==, - 8 * 3600); ++ g_assert (!g_time_zone_is_dst (tz, i1)); ++ g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i2), ==, "PDT"); ++ g_assert_cmpint (g_time_zone_get_offset (tz, i2), ==,- 7 * 3600); ++ g_assert (g_time_zone_is_dst (tz, i2)); + g_time_zone_unref (tz); + + tz = g_time_zone_new_identifier ("PST8PDT6:32:15"); +-- +2.50.0 + + +From a2a6ca391d16e76f74fe28f2bf33fecd0ded1293 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 18 Oct 2024 11:03:19 +0100 +Subject: [PATCH 2/3] gdatetime test: Try to make PST8PDT test more obviously + correct + +Instead of using timestamp 0 as a magic number (in this case interpreted +as 1970-01-01T00:00:00-08:00), calculate a timestamp from a recent +year/month/day in winter, in this case 2024-01-01T00:00:00-08:00. + +Similarly, instead of using a timestamp 15 million seconds later +(1970-06-23T15:40:00-07:00), calculate a timestamp from a recent +year/month/day in summer, in this case 2024-07-01T00:00:00-07:00. + +Signed-off-by: Simon McVittie +--- + glib/tests/gdatetime.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 2697e3caa..676951cce 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -2499,19 +2499,16 @@ test_posix_parse (void) + + /* This fails rules_from_identifier on Unix (though not on Windows) + * but passes anyway because PST8PDT is a zone name. +- * +- * Intervals i1 and i2 (rather than 0 and 1) are needed because in +- * recent tzdata, PST8PDT may be an alias for America/Los_Angeles, +- * and hence be aware that DST has not always existed. +- * https://bugs.debian.org/1084190 + */ + tz = g_time_zone_new_identifier ("PST8PDT"); + g_assert_nonnull (tz); + g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT"); + /* a date in winter = non-DST */ +- i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, 0); +- /* approximately 6 months in seconds, i.e. a date in summer = DST */ +- i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, 15000000); ++ gdt1 = g_date_time_new (tz, 2024, 1, 1, 0, 0, 0); ++ i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, g_date_time_to_unix (gdt1)); ++ /* a date in summer = DST */ ++ gdt2 = g_date_time_new (tz, 2024, 7, 1, 0, 0, 0); ++ i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, g_date_time_to_unix (gdt2)); + g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i1), ==, "PST"); + g_assert_cmpint (g_time_zone_get_offset (tz, i1), ==, - 8 * 3600); + g_assert (!g_time_zone_is_dst (tz, i1)); +@@ -2519,6 +2516,8 @@ test_posix_parse (void) + g_assert_cmpint (g_time_zone_get_offset (tz, i2), ==,- 7 * 3600); + g_assert (g_time_zone_is_dst (tz, i2)); + g_time_zone_unref (tz); ++ g_date_time_unref (gdt1); ++ g_date_time_unref (gdt2); + + tz = g_time_zone_new_identifier ("PST8PDT6:32:15"); + #ifdef G_OS_WIN32 +-- +2.50.0 + + +From 345a41982e7237f72e88b4ade951320df52553b2 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 18 Oct 2024 11:23:42 +0100 +Subject: [PATCH 3/3] gdatetime test: Fall back if legacy System V PST8PDT is + not available + +On recent versions of Debian, PST8PDT is part of the tzdata-legacy +package, which is not always installed and might disappear in future. +Successfully tested with and without tzdata-legacy on Debian unstable. + +Signed-off-by: Simon McVittie +--- + glib/tests/gdatetime.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 676951cce..7512389e0 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -2476,6 +2476,7 @@ test_posix_parse (void) + GTimeZone *tz; + GDateTime *gdt1, *gdt2; + gint i1, i2; ++ const char *expect_id; + + /* Check that an unknown zone name falls back to UTC. */ + G_GNUC_BEGIN_IGNORE_DEPRECATIONS +@@ -2498,11 +2499,25 @@ test_posix_parse (void) + g_time_zone_unref (tz); + + /* This fails rules_from_identifier on Unix (though not on Windows) +- * but passes anyway because PST8PDT is a zone name. ++ * but can pass anyway because PST8PDT is a legacy System V zone name. + */ + tz = g_time_zone_new_identifier ("PST8PDT"); ++ expect_id = "PST8PDT"; ++ ++#ifndef G_OS_WIN32 ++ /* PST8PDT is in tzdata's "backward" set, packaged as tzdata-legacy and ++ * not always present in some OSs; fall back to the equivalent geographical ++ * name if the "backward" time zones are absent. */ ++ if (tz == NULL) ++ { ++ g_test_message ("Legacy PST8PDT time zone not available, falling back"); ++ tz = g_time_zone_new_identifier ("America/Los_Angeles"); ++ expect_id = "America/Los_Angeles"; ++ } ++#endif ++ + g_assert_nonnull (tz); +- g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT"); ++ g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, expect_id); + /* a date in winter = non-DST */ + gdt1 = g_date_time_new (tz, 2024, 1, 1, 0, 0, 0); + i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, g_date_time_to_unix (gdt1)); +-- +2.50.0 + diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index f8c7941..e659676 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.68.4 -Release: 16%{?dist} +Release: 16%{?dist}.2 Summary: A library of handy utility functions License: LGPLv2+ @@ -63,6 +63,17 @@ Patch: 4038.patch # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4155 Patch: 4155.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4281 +Patch: CVE-2024-52533.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/680 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4592 +Patch: CVE-2025-4373.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356 +Patch: gdatetime-test.patch + BuildRequires: chrpath BuildRequires: gcc BuildRequires: gcc-c++ @@ -278,6 +289,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Fri Jul 11 2025 Michael Catanzaro - 2.68.4-16.2 +- Add patches for CVE-2024-52533 and CVE-2025-4373 +- Update GDateTime test for new tzdata +- Resolves: RHEL-94290 +- Resolves: RHEL-102845 + * Thu Sep 26 2024 Ondrej Holy - 2.68.4-16 - Add support for x-gvfs-trash mount option - Resolves: RHEL-52360