From bdb1b314585fce32f590c9cf73ff79f55442c24b Mon Sep 17 00:00:00 2001 From: RHEL Packaging Agent Date: Thu, 9 Jul 2026 11:07:19 +0000 Subject: [PATCH] Fix CVE-2026-58016: D-Bus introspection XML node nesting validation Backport upstream commit c9da977c178 to fix CVE-2026-58016 in glib2. The fix corrects a broken logical condition in the D-Bus introspection XML parser (gio/gdbusintrospection.c) that failed to properly validate `` element nesting. The original negated tautological OR expression always evaluated to false; the fix replaces it with the correct check. Includes new unit tests for invalid XML parsing. CVE: CVE-2026-58016 Upstream patches: - https://github.com/GNOME/glib/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2.patch Resolves: RHEL-190622 This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Ymir --- CVE-2026-58016.patch | 87 ++++++++++++++++++++++++++++++++++++++++++++ glib2.spec | 9 ++++- 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 CVE-2026-58016.patch diff --git a/CVE-2026-58016.patch b/CVE-2026-58016.patch new file mode 100644 index 0000000..3d493f3 --- /dev/null +++ b/CVE-2026-58016.patch @@ -0,0 +1,87 @@ +From 01d02a2d7cb54c7e27174ed344d03e0c49e0b862 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 16 Apr 2026 15:27:37 +0100 +Subject: [PATCH] gdbusintrospection: Fix XML parser state handling for + element nesting + +The check for whether a `` element in D-Bus introspection XML was +nested correctly was broken. `` elements can only be at the top +level, or nested immediately within another `` element. + +Fix the check and add some unit tests for it. + +Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test +uses example XML strings adapted from their report. + +Signed-off-by: Philip Withnall + +Fixes: #3932 +--- + gio/gdbusintrospection.c | 2 +- + gio/tests/gdbus-introspection.c | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c +index e9601dbbd..7925af507 100644 +--- a/gio/gdbusintrospection.c ++++ b/gio/gdbusintrospection.c +@@ -1270,7 +1270,7 @@ parser_start_element (GMarkupParseContext *context, + /* ---------------------------------------------------------------------------------------------------- */ + if (strcmp (element_name, "node") == 0) + { +- if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0)) ++ if (stack->next != NULL && strcmp (stack->next->data, "node") != 0) + { + g_set_error_literal (error, + G_MARKUP_ERROR, +diff --git a/gio/tests/gdbus-introspection.c b/gio/tests/gdbus-introspection.c +index 50c0cc721..e2cdf0a25 100644 +--- a/gio/tests/gdbus-introspection.c ++++ b/gio/tests/gdbus-introspection.c +@@ -297,6 +297,38 @@ test_extra_data (void) + g_dbus_node_info_unref (info); + } + ++static void ++test_invalid (void) ++{ ++ const struct ++ { ++ const char *xml; ++ GMarkupError expected_error_code; ++ } ++ vectors[] = ++ { ++ { "", G_MARKUP_ERROR_EMPTY }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ }; ++ ++ for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++) ++ { ++ GDBusNodeInfo *node; ++ GError *local_error = NULL; ++ ++ g_test_message ("Testing parsing of %s gives an error", vectors[i].xml); ++ ++ node = g_dbus_node_info_new_for_xml (vectors[i].xml, &local_error); ++ g_assert_error (local_error, G_MARKUP_ERROR, (int) vectors[i].expected_error_code); ++ g_assert_null (node); ++ ++ g_clear_error (&local_error); ++ } ++} ++ + /* ---------------------------------------------------------------------------------------------------- */ + + int +@@ -314,6 +346,7 @@ main (int argc, + g_test_add_func ("/gdbus/introspection-generate", test_generate); + g_test_add_func ("/gdbus/introspection-default-direction", test_default_direction); + g_test_add_func ("/gdbus/introspection-extra-data", test_extra_data); ++ g_test_add_func ("/gdbus/introspection-invalid", test_invalid); + + ret = session_bus_run (); + diff --git a/glib2.spec b/glib2.spec index bb3f68d..3ccc740 100644 --- a/glib2.spec +++ b/glib2.spec @@ -5,7 +5,7 @@ Name: glib2 Version: 2.56.4 -Release: 169%{?dist} +Release: 170%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -169,6 +169,9 @@ Patch34: CVE-2025-14087.patch # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935 Patch35: CVE-2025-14512.patch +# https://github.com/GNOME/glib/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2 +Patch36: CVE-2026-58016.patch + %description GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, @@ -369,6 +372,10 @@ make %{?_smp_mflags} check %{_datadir}/installed-tests %changelog +* Thu Jul 09 2026 RHEL Packaging Agent - 2.56.4-170 +- Add patch for CVE-2026-58016 +- Resolves: RHEL-190622 + * Fri Apr 24 2026 Michael Catanzaro - 2.68.4-169 - Add patch for CVE-2025-14087 and CVE-2025-14512