rpms/glib2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-14087 and CVE-2025-14512

Browse Source 
Resolves: RHEL-174297
Resolves: RHEL-174299
This commit is contained in:
Michael Catanzaro 2026-04-23 15:47:15 -05:00
parent 2276a29b08
commit b36fab8b88
3 changed files with 642 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

566
CVE-2025-14087.patch Normal file
View File

@ -0,0 +1,566 @@
From e8e8b447de4211564d90e5da975eb4fa8ee37fc9 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:27:51 +0000
Subject: [PATCH 1/4] gutf8: Add tests and clarify documentation for
g_unichar_to_utf8()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While using `g_unichar_to_utf8()`, I noticed the return type is `int`,
which suggests that it could return negative values. Wanting to make
sure I properly handled this in my code, I checked the implementation of
`g_unichar_to_utf8()` and found that it can actually only return [1, 6].
It looks like the `int` return type is a historical C-ism, and it should
really return an unsigned integer type.
Improve the docs and add some unit tests while Im there.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gutf8.c | 8 ++++----
glib/tests/unicode.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/glib/gutf8.c b/glib/gutf8.c
index 5a875ce26..d24aa246f 100644
--- a/glib/gutf8.c
+++ b/glib/gutf8.c
@@ -537,16 +537,16 @@ g_utf8_truncate_middle (const gchar *string,
*
* Converts a single character to UTF-8.
*
- * Returns: number of bytes written
+ * Returns: number of bytes written, guaranteed to be in the range [1, 6]
*/
int
g_unichar_to_utf8 (gunichar c,
gchar *outbuf)
{
/* If this gets modified, also update the copy in g_string_insert_unichar() */
- guint len = 0;
- int first;
- int i;
+ size_t len = 0;
+ char first;
+ size_t i;
if (c < 0x80)
{
diff --git a/glib/tests/unicode.c b/glib/tests/unicode.c
index cb74068a5..cae8fd175 100644
--- a/glib/tests/unicode.c
+++ b/glib/tests/unicode.c
@@ -1410,6 +1410,40 @@ test_wide (void)
}
};
+/* Test g_unichar_to_utf8(). */
+static void
+test_unichar_to_utf8 (void)
+{
+ const struct
+ {
+ gunichar unichar;
+ int expected_length;
+ const char *expected_output; /* must be of length `expected_length` */
+ }
+ vectors[] =
+ {
+ { 0x21, 1, "!" },
+ { 0x00A1, 2, "\xc2\xa1" },
+ { 0x0800, 3, "\xe0\xa0\x80" },
+ { 0x10000, 4, "\xf0\x90\x80\x80" },
+ { 0x200000, 5, "\xf8\x88\x80\x80\x80" },
+ { 0x4000000, 6, "\xfc\x84\x80\x80\x80\x80" },
+ };
+
+ for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++)
+ {
+ int length;
+ char output[6];
+
+ length = g_unichar_to_utf8 (vectors[i].unichar, NULL);
+ g_assert_cmpint (length, ==, vectors[i].expected_length);
+
+ length = g_unichar_to_utf8 (vectors[i].unichar, output);
+ g_assert_cmpint (length, ==, vectors[i].expected_length);
+ g_assert_cmpmem (output, length, vectors[i].expected_output, vectors[i].expected_length);
+ }
+}
+
/* Test that g_unichar_compose() returns the correct value for various
* ASCII and Unicode alphabetic, numeric, and other, codepoints. */
static void
@@ -1987,6 +2021,7 @@ main (int argc,
g_test_add_func ("/unicode/upper", test_upper);
g_test_add_func ("/unicode/validate", test_unichar_validate);
g_test_add_func ("/unicode/wide", test_wide);
+ g_test_add_func ("/unicode/unichar-to-utf8", test_unichar_to_utf8);
g_test_add_func ("/unicode/xdigit", test_xdigit);
g_test_add_func ("/unicode/xdigit-value", test_xdigit_value);
g_test_add_func ("/unicode/zero-width", test_zerowidth);
--
2.53.0
From 4271cf7f93ab49e8bc05e1d31ae2922fa2845cfe Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:02:56 +0000
Subject: [PATCH 2/4] gvariant-parser: Fix potential integer overflow parsing
(byte)strings
The termination condition for parsing string and bytestring literals in
GVariant text format input was subject to an integer overflow for input
string (or bytestring) literals longer than `INT_MAX`.
Fix that by counting as a `size_t` rather than as an `int`. The counter
can never correctly be negative.
Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3834
---
glib/gvariant-parser.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index 112d89da7..560562446 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -597,7 +597,7 @@ ast_resolve (AST *ast,
{
GVariant *value;
gchar *pattern;
- gint i, j = 0;
+ size_t i, j = 0;
pattern = ast_get_pattern (ast, error);
@@ -1621,9 +1621,9 @@ string_free (AST *ast)
* No leading/trailing space allowed. */
static gboolean
unicode_unescape (const gchar *src,
- gint *src_ofs,
+ size_t *src_ofs,
gchar *dest,
- gint *dest_ofs,
+ size_t *dest_ofs,
gsize length,
SourceRef *ref,
GError **error)
@@ -1684,7 +1684,7 @@ string_parse (TokenStream *stream,
gsize length;
gchar quote;
gchar *str;
- gint i, j;
+ size_t i, j;
token_stream_start_ref (stream, &ref);
token = token_stream_get (stream);
@@ -1814,7 +1814,7 @@ bytestring_parse (TokenStream *stream,
gsize length;
gchar quote;
gchar *str;
- gint i, j;
+ size_t i, j;
token_stream_start_ref (stream, &ref);
token = token_stream_get (stream);
--
2.53.0
From 8c96e5b9b96d44458549a6798fa10a841eb65e84 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:19:16 +0000
Subject: [PATCH 3/4] gvariant-parser: Use size_t to count numbers of child
elements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rather than using `gint`, which could overflow for arrays (or dicts, or
tuples) longer than `INT_MAX`. There may be other limits which prevent
parsed containers becoming that long, but we might as well make the type
system reflect the programmers intention as best it can anyway.
For arrays and tuples this is straightforward. For dictionaries, its
slightly complicated by the fact that the code used
`dict->n_children == -1` to indicate that the `Dictionary` struct in
question actually represented a single freestanding dict entry. In
GVariant text format, that would be `{1, "one"}`.
The implementation previously didnt define the semantics of
`dict->n_children < -1`.
Now, instead, change `Dictionary.n_children` to `size_t`, and define a
magic value `DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY` to indicate that
the `Dictionary` represents a single freestanding dict entry.
This magic value is `SIZE_MAX`, and given that a dictionary entry takes
more than one byte to represent in GVariant text format, that means its
not possible to have that many entries in a parsed dictionary, so this
magic value wont be hit by a normal dictionary. An assertion checks
this anyway.
Spotted while working on #3834.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gvariant-parser.c | 58 ++++++++++++++++++++++++------------------
1 file changed, 33 insertions(+), 25 deletions(-)
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index 560562446..ade5a9fa7 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -650,9 +650,9 @@ static AST *parse (TokenStream *stream,
GError **error);
static void
-ast_array_append (AST ***array,
- gint *n_items,
- AST *ast)
+ast_array_append (AST ***array,
+ size_t *n_items,
+ AST *ast)
{
if ((*n_items & (*n_items - 1)) == 0)
*array = g_renew (AST *, *array, *n_items ? 2 ** n_items : 1);
@@ -661,10 +661,10 @@ ast_array_append (AST ***array,
}
static void
-ast_array_free (AST **array,
- gint n_items)
+ast_array_free (AST **array,
+ size_t n_items)
{
- gint i;
+ size_t i;
for (i = 0; i < n_items; i++)
ast_free (array[i]);
@@ -673,11 +673,11 @@ ast_array_free (AST **array,
static gchar *
ast_array_get_pattern (AST **array,
- gint n_items,
+ size_t n_items,
GError **error)
{
gchar *pattern;
- gint i;
+ size_t i;
/* Find the pattern which applies to all children in the array, by l-folding a
* coalesce operation.
@@ -709,7 +709,7 @@ ast_array_get_pattern (AST **array,
* pair of values.
*/
{
- int j = 0;
+ size_t j = 0;
while (TRUE)
{
@@ -957,7 +957,7 @@ typedef struct
AST ast;
AST **children;
- gint n_children;
+ size_t n_children;
} Array;
static gchar *
@@ -990,7 +990,7 @@ array_get_value (AST *ast,
Array *array = (Array *) ast;
const GVariantType *childtype;
GVariantBuilder builder;
- gint i;
+ size_t i;
if (!g_variant_type_is_array (type))
return ast_type_error (ast, type, error);
@@ -1076,7 +1076,7 @@ typedef struct
AST ast;
AST **children;
- gint n_children;
+ size_t n_children;
} Tuple;
static gchar *
@@ -1086,7 +1086,7 @@ tuple_get_pattern (AST *ast,
Tuple *tuple = (Tuple *) ast;
gchar *result = NULL;
gchar **parts;
- gint i;
+ size_t i;
parts = g_new (gchar *, tuple->n_children + 4);
parts[tuple->n_children + 1] = (gchar *) ")";
@@ -1116,7 +1116,7 @@ tuple_get_value (AST *ast,
Tuple *tuple = (Tuple *) ast;
const GVariantType *childtype;
GVariantBuilder builder;
- gint i;
+ size_t i;
if (!g_variant_type_is_tuple (type))
return ast_type_error (ast, type, error);
@@ -1308,9 +1308,16 @@ typedef struct
AST **keys;
AST **values;
- gint n_children;
+
+ /* Iff this is DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY then this struct
+ * represents a single freestanding dict entry (`{1, "one"}`) rather than a
+ * full dict. In the freestanding case, @keys and @values have exactly one
+ * member each. */
+ size_t n_children;
} Dictionary;
+#define DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY ((size_t) -1)
+
static gchar *
dictionary_get_pattern (AST *ast,
GError **error)
@@ -1325,7 +1332,7 @@ dictionary_get_pattern (AST *ast,
return g_strdup ("Ma{**}");
key_pattern = ast_array_get_pattern (dict->keys,
- abs (dict->n_children),
+ (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? 1 : dict->n_children,
error);
if (key_pattern == NULL)
@@ -1356,7 +1363,7 @@ dictionary_get_pattern (AST *ast,
return NULL;
result = g_strdup_printf ("M%s{%c%s}",
- dict->n_children > 0 ? "a" : "",
+ (dict->n_children > 0 && dict->n_children != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? "a" : "",
key_char, value_pattern);
g_free (value_pattern);
@@ -1370,7 +1377,7 @@ dictionary_get_value (AST *ast,
{
Dictionary *dict = (Dictionary *) ast;
- if (dict->n_children == -1)
+ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
{
const GVariantType *subtype;
GVariantBuilder builder;
@@ -1403,7 +1410,7 @@ dictionary_get_value (AST *ast,
{
const GVariantType *entry, *key, *val;
GVariantBuilder builder;
- gint i;
+ size_t i;
if (!g_variant_type_is_subtype_of (type, G_VARIANT_TYPE_DICTIONARY))
return ast_type_error (ast, type, error);
@@ -1444,12 +1451,12 @@ static void
dictionary_free (AST *ast)
{
Dictionary *dict = (Dictionary *) ast;
- gint n_children;
+ size_t n_children;
- if (dict->n_children > -1)
- n_children = dict->n_children;
- else
+ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
n_children = 1;
+ else
+ n_children = dict->n_children;
ast_array_free (dict->keys, n_children);
ast_array_free (dict->values, n_children);
@@ -1467,7 +1474,7 @@ dictionary_parse (TokenStream *stream,
maybe_wrapper, dictionary_get_value,
dictionary_free
};
- gint n_keys, n_values;
+ size_t n_keys, n_values;
gboolean only_one;
Dictionary *dict;
AST *first;
@@ -1510,7 +1517,7 @@ dictionary_parse (TokenStream *stream,
goto error;
g_assert (n_keys == 1 && n_values == 1);
- dict->n_children = -1;
+ dict->n_children = DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY;
return (AST *) dict;
}
@@ -1543,6 +1550,7 @@ dictionary_parse (TokenStream *stream,
}
g_assert (n_keys == n_values);
+ g_assert (n_keys != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY);
dict->n_children = n_keys;
return (AST *) dict;
--
2.53.0
From b73a8d655d4f50450483a9948ab59edcd71780fa Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:25:58 +0000
Subject: [PATCH 4/4] gvariant-parser: Convert error handling code to use
size_t
The error handling code allows for printing out the range of input bytes
related to a parsing error. This was previously done using `gint`, but
the input could be longer than `INT_MAX`, so it should really be done
using `size_t`.
Spotted while working on #3834.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gvariant-parser.c | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index ade5a9fa7..0ddb4794e 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -91,7 +91,9 @@ g_variant_parser_get_error_quark (void)
typedef struct
{
- gint start, end;
+ /* Offsets from the start of the input, in bytes. Can be equal when referring
+ * to a point rather than a range. The invariant `end >= start` always holds. */
+ size_t start, end;
} SourceRef;
G_GNUC_PRINTF(5, 0)
@@ -106,14 +108,16 @@ parser_set_error_va (GError **error,
GString *msg = g_string_new (NULL);
if (location->start == location->end)
- g_string_append_printf (msg, "%d", location->start);
+ g_string_append_printf (msg, "%" G_GSIZE_FORMAT, location->start);
else
- g_string_append_printf (msg, "%d-%d", location->start, location->end);
+ g_string_append_printf (msg, "%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
+ location->start, location->end);
if (other != NULL)
{
g_assert (other->start != other->end);
- g_string_append_printf (msg, ",%d-%d", other->start, other->end);
+ g_string_append_printf (msg, ",%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
+ other->start, other->end);
}
g_string_append_c (msg, ':');
@@ -140,11 +144,15 @@ parser_set_error (GError **error,
typedef struct
{
+ /* We should always have the following ordering constraint:
+ * start <= this <= stream <= end
+ * Additionally, unless in an error or EOF state, `this < stream`.
+ */
const gchar *start;
const gchar *stream;
const gchar *end;
- const gchar *this;
+ const gchar *this; /* (nullable) */
} TokenStream;
@@ -175,7 +183,7 @@ token_stream_set_error (TokenStream *stream,
static gboolean
token_stream_prepare (TokenStream *stream)
{
- gint brackets = 0;
+ gssize brackets = 0;
const gchar *end;
if (stream->this != NULL)
@@ -405,7 +413,7 @@ static void
pattern_copy (gchar **out,
const gchar **in)
{
- gint brackets = 0;
+ gssize brackets = 0;
while (**in == 'a' || **in == 'm' || **in == 'M')
*(*out)++ = *(*in)++;
@@ -2743,7 +2751,7 @@ g_variant_builder_add_parsed (GVariantBuilder *builder,
static gboolean
parse_num (const gchar *num,
const gchar *limit,
- guint *result)
+ size_t *result)
{
gchar *endptr;
gint64 bignum;
@@ -2753,10 +2761,12 @@ parse_num (const gchar *num,
if (endptr != limit)
return FALSE;
+ /* The upper bound here is more restrictive than it technically needs to be,
+ * but should be enough for any practical situation: */
if (bignum < 0 || bignum > G_MAXINT)
return FALSE;
- *result = (guint) bignum;
+ *result = (size_t) bignum;
return TRUE;
}
@@ -2767,7 +2777,7 @@ add_last_line (GString *err,
{
const gchar *last_nl;
gchar *chomped;
- gint i;
+ size_t i;
/* This is an error at the end of input. If we have a file
* with newlines, that's probably the empty string after the
@@ -2912,7 +2922,7 @@ g_variant_parse_error_print_context (GError *error,
if (dash == NULL || colon < dash)
{
- guint point;
+ size_t point;
/* we have a single point */
if (!parse_num (error->message, colon, &point))
@@ -2930,7 +2940,7 @@ g_variant_parse_error_print_context (GError *error,
/* We have one or two ranges... */
if (comma && comma < colon)
{
- guint start1, end1, start2, end2;
+ size_t start1, end1, start2, end2;
const gchar *dash2;
/* Two ranges */
@@ -2946,7 +2956,7 @@ g_variant_parse_error_print_context (GError *error,
}
else
{
- guint start, end;
+ size_t start, end;
/* One range */
if (!parse_num (error->message, dash, &start) || !parse_num (dash + 1, colon, &end))
--
2.53.0

69
CVE-2025-14512.patch Normal file
View File

@ -0,0 +1,69 @@
From bf42b30a1fe916bbc8c29014525e890801019e93 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 4 Dec 2025 16:37:19 +0000
Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
byte strings
The number of invalid characters in the byte string (characters which
would have to be percent-encoded) was only stored in an `int`, which
gave the possibility of a long string largely full of invalid
characters overflowing this and allowing an attacker-controlled buffer
size to be allocated.
This could be triggered by an attacker controlled file attribute (of
type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
being read by user code.
Spotted by Codean Labs.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3845
---
gio/gfileattribute.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
index c6fde60fa..d3083e5bd 100644
--- a/gio/gfileattribute.c
+++ b/gio/gfileattribute.c
@@ -22,6 +22,7 @@
#include "config.h"
+#include <stdint.h>
#include <string.h>
#include "gfileattribute.h"
@@ -166,11 +167,12 @@ valid_char (char c)
return c >= 32 && c <= 126 && c != '\\';
}
+/* Returns NULL on error */
static char *
escape_byte_string (const char *str)
{
size_t i, len;
- int num_invalid;
+ size_t num_invalid;
char *escaped_val, *p;
unsigned char c;
const char hex_digits[] = "0123456789abcdef";
@@ -188,7 +190,12 @@ escape_byte_string (const char *str)
return g_strdup (str);
else
{
- escaped_val = g_malloc (len + num_invalid*3 + 1);
+ /* Check for overflow. We want to check the inequality:
+ * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+ if (num_invalid >= (SIZE_MAX - len) / 3)
+ return NULL;
+
+ escaped_val = g_malloc (len + num_invalid * 3 + 1);
p = escaped_val;
for (i = 0; i < len; i++)
--
2.53.0

7
glib2.spec
View File

@ -43,6 +43,13 @@ Patch: CVE-2025-13601.patch
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4931
Patch: gunixmount-improvements.patch
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4933
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4921
Patch: CVE-2025-14087.patch
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935
Patch: CVE-2025-14512.patch
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: gettext