* Re: [OE-core] [meta][dunfell][PATCH] glib-2.0: Add security fixes
[not found] <20211129074342.22755-1-ranjitsinhrathod1991@gmail.com>
@ 2021-11-30 2:14 ` Mittal, Anuj
2021-11-30 7:12 ` Ranjitsinh Rathod
0 siblings, 1 reply; 4+ messages in thread
From: Mittal, Anuj @ 2021-11-30 2:14 UTC (permalink / raw)
To: ranjitsinhrathod1991@gmail.com,
openembedded-core@lists.openembedded.org
Cc: Neetika.Singh@kpit.com, ranjitsinh.rathod@kpit.com
I think this is missing fixes for regressions caused by these commits.
Specifically the ones here:
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1933/commits
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1943
The Ubuntu code branch that is being referred here also includes these
fixes.
Thanks,
Anuj
On Mon, 2021-11-29 at 13:13 +0530, Ranjitsinh Rathod wrote:
> From: Neetika Singh <Neetika.Singh@kpit.com>
>
> Add patches for below CVE issues:
> CVE-2021-27218
> CVE-2021-27219
> CVE-2021-28153
> Link:
> https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
>
> Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
> ---
> .../glib-2.0/glib-2.0/CVE-2021-27218.patch | 128 ++++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-01.patch | 169 ++++++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-02.patch | 248 +++++++++++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-03.patch | 130 ++++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-04.patch | 297 ++++++++++++++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-05.patch | 53 ++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-06.patch | 100 ++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-07.patch | 75 +++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-08.patch | 100 ++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-09.patch | 99 ++++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-10.patch | 58 ++++
> .../glib-2.0/glib-2.0/CVE-2021-27219-11.patch | 62 ++++
> .../glib-2.0/glib-2.0/CVE-2021-28153-1.patch | 26 ++
> .../glib-2.0/glib-2.0/CVE-2021-28153-2.patch | 41 +++
> .../glib-2.0/glib-2.0/CVE-2021-28153-3.patch | 56 ++++
> .../glib-2.0/glib-2.0/CVE-2021-28153-4.patch | 264 ++++++++++++++++
> .../glib-2.0/glib-2.0/CVE-2021-28153-5.patch | 54 ++++
> meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb | 17 +
> 18 files changed, 1977 insertions(+)
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-
> 27218.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 01.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 02.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 03.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 04.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 05.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 06.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 07.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 08.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 09.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 10.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 11.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-
> 1.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-
> 2.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-
> 3.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-
> 4.patch
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-
> 5.patch
>
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
> b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
> new file mode 100644
> index 0000000000..23e1426cee
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
> @@ -0,0 +1,128 @@
> +Backport of:
> +
> +From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001
> +From: Krzesimir Nowak <qdlacz@gmail.com>
> +Date: Wed, 10 Feb 2021 23:51:07 +0100
> +Subject: [PATCH] gbytearray: Do not accept too large byte arrays
> +
> +GByteArray uses guint for storing the length of the byte array, but it
> +also has a constructor (g_byte_array_new_take) that takes length as a
> +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
> +for guint). It is possible to call the function with a value greater
> +than G_MAXUINT, which will result in silent length truncation. This
> +may happen as a result of unreffing GBytes into GByteArray, so rather
> +be loud about it.
> +
> +(Test case tweaked by Philip Withnall.)
> +
> +(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for
> +`g_memdup2()`.)
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27218
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + glib/garray.c | 6 ++++++
> + glib/gbytes.c | 4 ++++
> + glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++-
> + 3 files changed, 44 insertions(+), 1 deletion(-)
> +
> +--- a/glib/garray.c
> ++++ b/glib/garray.c
> +@@ -2234,6 +2234,10 @@ g_byte_array_steal (GByteArray *array,
> + * Create byte array containing the data. The data will be owned by
> the array
> + * and will be freed with g_free(), i.e. it could be allocated using
> g_strdup().
> + *
> ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
> ++ * stores the length of its data in #guint, which may be shorter than
> ++ * #gsize.
> ++ *
> + * Since: 2.32
> + *
> + * Returns: (transfer full): a new #GByteArray
> +@@ -2245,6 +2249,8 @@ g_byte_array_new_take (guint8 *data,
> + GByteArray *array;
> + GRealArray *real;
> +
> ++ g_return_val_if_fail (len <= G_MAXUINT, NULL);
> ++
> + array = g_byte_array_new ();
> + real = (GRealArray *)array;
> + g_assert (real->data == NULL);
> +--- a/glib/gbytes.c
> ++++ b/glib/gbytes.c
> +@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
> + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes().
> In all
> + * other cases the data is copied.
> + *
> ++ * Do not use it if @bytes contains more than %G_MAXUINT
> ++ * bytes. #GByteArray stores the length of its data in #guint, which
> ++ * may be shorter than #gsize, that @bytes is using.
> ++ *
> + * Returns: (transfer full): a new mutable #GByteArray containing the
> same byte data
> + *
> + * Since: 2.32
> +--- a/glib/tests/bytes.c
> ++++ b/glib/tests/bytes.c
> +@@ -10,12 +10,12 @@
> + */
> +
> + #undef G_DISABLE_ASSERT
> +-#undef G_LOG_DOMAIN
> +
> + #include <stdio.h>
> + #include <stdlib.h>
> + #include <string.h>
> + #include "glib.h"
> ++#include "glib/gstrfuncsprivate.h"
> +
> + /* Keep in sync with glib/gbytes.c */
> + struct _GBytes
> +@@ -334,6 +334,38 @@ test_to_array_transferred (void)
> + }
> +
> + static void
> ++test_to_array_transferred_oversize (void)
> ++{
> ++ g_test_message ("g_bytes_unref_to_array() can only take GBytes up
> to "
> ++ "G_MAXUINT in length; test that longer ones are
> rejected");
> ++
> ++ if (sizeof (guint) >= sizeof (gsize))
> ++ {
> ++ g_test_skip ("Skipping test as guint is not smaller than
> gsize");
> ++ }
> ++ else if (g_test_undefined ())
> ++ {
> ++ GByteArray *array = NULL;
> ++ GBytes *bytes = NULL;
> ++ gpointer data = g_memdup2 (NYAN, N_NYAN);
> ++ gsize len = ((gsize) G_MAXUINT) + 1;
> ++
> ++ bytes = g_bytes_new_take (data, len);
> ++ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL,
> ++ "g_byte_array_new_take: assertion 'len
> <= G_MAXUINT' failed");
> ++ array = g_bytes_unref_to_array (g_steal_pointer (&bytes));
> ++ g_test_assert_expected_messages ();
> ++ g_assert_null (array);
> ++
> ++ g_free (data);
> ++ }
> ++ else
> ++ {
> ++ g_test_skip ("Skipping test as testing undefined behaviour is
> disabled");
> ++ }
> ++}
> ++
> ++static void
> + test_to_array_two_refs (void)
> + {
> + gconstpointer memory;
> +@@ -410,6 +442,7 @@ main (int argc, char *argv[])
> + g_test_add_func ("/bytes/to-array/transfered",
> test_to_array_transferred);
> + g_test_add_func ("/bytes/to-array/two-refs",
> test_to_array_two_refs);
> + g_test_add_func ("/bytes/to-array/non-malloc",
> test_to_array_non_malloc);
> ++ g_test_add_func ("/bytes/to-array/transferred/oversize",
> test_to_array_transferred_oversize);
> + g_test_add_func ("/bytes/null", test_null);
> +
> + return g_test_run ();
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
> new file mode 100644
> index 0000000000..3ded039633
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
> @@ -0,0 +1,169 @@
> +Backport of:
> +
> +From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:30:52 +0000
> +Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +This will replace the existing `g_memdup()` function for use within
> +GLib. It has an unavoidable security flaw of taking its `byte_size`
> +argument as a `guint` rather than as a `gsize`. Most callers will
> +expect it to be a `gsize`, and may pass in large values which could
> +silently be truncated, resulting in an undersize allocation compared
> +to what the caller expects.
> +
> +This could lead to a classic buffer overflow vulnerability for many
> +callers of `g_memdup()`.
> +
> +`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.
> +
> +Spotted by Kevin Backhouse of GHSL.
> +
> +In GLib 2.68, `g_memdup2()` will be a new public API. In this version
> +for backport to older stable releases, it’s a new `static inline` API
> +in a private header, so that use of `g_memdup()` within GLib can be
> +fixed without adding a new API in a stable release series.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: GHSL-2021-045
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + docs/reference/glib/meson.build | 1 +
> + glib/gstrfuncsprivate.h | 55
> +++++++++++++++++++++++++++++++++
> + glib/meson.build | 1 +
> + glib/tests/strfuncs.c | 23 ++++++++++++++
> + 4 files changed, 80 insertions(+)
> + create mode 100644 glib/gstrfuncsprivate.h
> +
> +--- a/docs/reference/glib/meson.build
> ++++ b/docs/reference/glib/meson.build
> +@@ -22,6 +22,7 @@ if get_option('gtk_doc')
> + 'gprintfint.h',
> + 'gmirroringtable.h',
> + 'gscripttable.h',
> ++ 'gstrfuncsprivate.h',
> + 'glib-mirroring-tab',
> + 'gnulib',
> + 'pcre',
> +--- /dev/null
> ++++ b/glib/gstrfuncsprivate.h
> +@@ -0,0 +1,55 @@
> ++/* GLIB - Library of useful routines for C programming
> ++ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh
> MacDonald
> ++ *
> ++ * This library is free software; you can redistribute it and/or
> ++ * modify it under the terms of the GNU Lesser General Public
> ++ * License as published by the Free Software Foundation; either
> ++ * version 2.1 of the License, or (at your option) any later version.
> ++ *
> ++ * This library is distributed in the hope that it will be useful,
> ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> ++ * Lesser General Public License for more details.
> ++ *
> ++ * You should have received a copy of the GNU Lesser General Public
> ++ * License along with this library; if not, see
> <http://www.gnu.org/licenses/>.
> ++ */
> ++
> ++#include <glib.h>
> ++#include <string.h>
> ++
> ++/*
> ++ * g_memdup2:
> ++ * @mem: (nullable): the memory to copy.
> ++ * @byte_size: the number of bytes to copy.
> ++ *
> ++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes
> into it
> ++ * from @mem. If @mem is %NULL it returns %NULL.
> ++ *
> ++ * This replaces g_memdup(), which was prone to integer overflows
> when
> ++ * converting the argument from a #gsize to a #guint.
> ++ *
> ++ * This static inline version is a backport of the new public API
> from
> ++ * GLib 2.68, kept internal to GLib for backport to older stable
> releases.
> ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
> ++ *
> ++ * Returns: (nullable): a pointer to the newly-allocated copy of the
> memory,
> ++ * or %NULL if @mem is %NULL.
> ++ * Since: 2.68
> ++ */
> ++static inline gpointer
> ++g_memdup2 (gconstpointer mem,
> ++ gsize byte_size)
> ++{
> ++ gpointer new_mem;
> ++
> ++ if (mem && byte_size != 0)
> ++ {
> ++ new_mem = g_malloc (byte_size);
> ++ memcpy (new_mem, mem, byte_size);
> ++ }
> ++ else
> ++ new_mem = NULL;
> ++
> ++ return new_mem;
> ++}
> +--- a/glib/meson.build
> ++++ b/glib/meson.build
> +@@ -268,6 +268,7 @@ glib_sources = files(
> + 'gslist.c',
> + 'gstdio.c',
> + 'gstrfuncs.c',
> ++ 'gstrfuncsprivate.h',
> + 'gstring.c',
> + 'gstringchunk.c',
> + 'gtestutils.c',
> +--- a/glib/tests/strfuncs.c
> ++++ b/glib/tests/strfuncs.c
> +@@ -32,6 +32,8 @@
> + #include <string.h>
> + #include "glib.h"
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + #if defined (_MSC_VER) && (_MSC_VER <= 1800)
> + #define isnan(x) _isnan(x)
> +
> +@@ -219,6 +221,26 @@ test_memdup (void)
> + g_free (str_dup);
> + }
> +
> ++/* Testing g_memdup2() function with various positive and negative
> cases */
> ++static void
> ++test_memdup2 (void)
> ++{
> ++ gchar *str_dup = NULL;
> ++ const gchar *str = "The quick brown fox jumps over the lazy dog";
> ++
> ++ /* Testing negative cases */
> ++ g_assert_null (g_memdup2 (NULL, 1024));
> ++ g_assert_null (g_memdup2 (str, 0));
> ++ g_assert_null (g_memdup2 (NULL, 0));
> ++
> ++ /* Testing normal usage cases */
> ++ str_dup = g_memdup2 (str, strlen (str) + 1);
> ++ g_assert_nonnull (str_dup);
> ++ g_assert_cmpstr (str, ==, str_dup);
> ++
> ++ g_free (str_dup);
> ++}
> ++
> + /* Testing g_strpcpy() function with various positive and negative
> cases */
> + static void
> + test_stpcpy (void)
> +@@ -2523,6 +2545,7 @@ main (int argc,
> + g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
> + g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
> + g_test_add_func ("/strfuncs/memdup", test_memdup);
> ++ g_test_add_func ("/strfuncs/memdup2", test_memdup2);
> + g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
> + g_test_add_func ("/strfuncs/str_match_string",
> test_str_match_string);
> + g_test_add_func ("/strfuncs/str_tokenize_and_fold",
> test_str_tokenize_and_fold);
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
> new file mode 100644
> index 0000000000..b305b30234
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
> @@ -0,0 +1,248 @@
> +From be8834340a2d928ece82025463ae23dee2c333d0 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:37:56 +0000
> +Subject: [PATCH 02/11] gio: Use g_memdup2() instead of g_memdup() in
> obvious
> + places
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Convert all the call sites which use `g_memdup()`’s length argument
> +trivially (for example, by passing a `sizeof()`), so that they use
> +`g_memdup2()` instead.
> +
> +In almost all of these cases the use of `g_memdup()` would not have
> +caused problems, but it will soon be deprecated, so best port away
> from
> +it.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/gdbusconnection.c | 5 +++--
> + gio/gdbusinterfaceskeleton.c | 3 ++-
> + gio/gfile.c | 7 ++++---
> + gio/gsettingsschema.c | 5 +++--
> + gio/gwin32registrykey.c | 8 +++++---
> + gio/tests/async-close-output-stream.c | 6 ++++--
> + gio/tests/gdbus-export.c | 5 +++--
> + gio/win32/gwinhttpfile.c | 9 +++++----
> + 8 files changed, 29 insertions(+), 19 deletions(-)
> +
> +--- a/gio/gdbusconnection.c
> ++++ b/gio/gdbusconnection.c
> +@@ -110,6 +110,7 @@
> + #include "gasyncinitable.h"
> + #include "giostream.h"
> + #include "gasyncresult.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gtask.h"
> + #include "gmarshal-internal.h"
> +
> +@@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDB
> + /* Don't waste memory by copying padding - remember to update this
> + * when changing struct _GDBusInterfaceVTable in gdbusconnection.h
> + */
> +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
> ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
> + }
> +
> + static void
> +@@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBus
> + /* Don't waste memory by copying padding - remember to update this
> + * when changing struct _GDBusSubtreeVTable in gdbusconnection.h
> + */
> +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
> ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
> + }
> +
> + static void
> +--- a/gio/gdbusinterfaceskeleton.c
> ++++ b/gio/gdbusinterfaceskeleton.c
> +@@ -28,6 +28,7 @@
> + #include "gdbusmethodinvocation.h"
> + #include "gdbusconnection.h"
> + #include "gmarshal-internal.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gtask.h"
> + #include "gioerror.h"
> +
> +@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSke
> + * properly before building the hooked_vtable, so we create it
> + * once at the last minute.
> + */
> +- interface_->priv->hooked_vtable = g_memdup
> (g_dbus_interface_skeleton_get_vtable (interface_), sizeof
> (GDBusInterfaceVTable));
> ++ interface_->priv->hooked_vtable = g_memdup2
> (g_dbus_interface_skeleton_get_vtable (interface_), sizeof
> (GDBusInterfaceVTable));
> + interface_->priv->hooked_vtable->method_call =
> skeleton_intercept_handle_method_call;
> + }
> +
> +--- a/gio/gfile.c
> ++++ b/gio/gfile.c
> +@@ -60,6 +60,7 @@
> + #include "gasyncresult.h"
> + #include "gioerror.h"
> + #include "glibintl.h"
> ++#include "gstrfuncsprivate.h"
> +
> +
> + /**
> +@@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean re
> + g_main_context_invoke_full (g_task_get_context (task),
> + g_task_get_priority (task),
> + measure_disk_usage_invoke_progress,
> +- g_memdup (&progress, sizeof progress),
> ++ g_memdup2 (&progress, sizeof progress),
> + g_free);
> + }
> +
> +@@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask
> + data->progress_callback ?
> measure_disk_usage_progress : NULL, task,
> + &result.disk_usage,
> &result.num_dirs, &result.num_files,
> + &error))
> +- g_task_return_pointer (task, g_memdup (&result, sizeof result),
> g_free);
> ++ g_task_return_pointer (task, g_memdup2 (&result, sizeof result),
> g_free);
> + else
> + g_task_return_error (task, error);
> + }
> +@@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GF
> +
> + task = g_task_new (file, cancellable, callback, user_data);
> + g_task_set_source_tag (task, g_file_real_measure_disk_usage_async);
> +- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free);
> ++ g_task_set_task_data (task, g_memdup2 (&data, sizeof data),
> g_free);
> + g_task_set_priority (task, io_priority);
> +
> + g_task_run_in_thread (task, measure_disk_usage_thread);
> +--- a/gio/gsettingsschema.c
> ++++ b/gio/gsettingsschema.c
> +@@ -20,6 +20,7 @@
> +
> + #include "gsettingsschema-internal.h"
> + #include "gsettings.h"
> ++#include "gstrfuncsprivate.h"
> +
> + #include "gvdb/gvdb-reader.h"
> + #include "strinfo.c"
> +@@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettin
> +
> + if (g_str_has_suffix (key, "/"))
> + {
> +- gint length = strlen (key);
> ++ gsize length = strlen (key);
> +
> +- strv[j] = g_memdup (key, length);
> ++ strv[j] = g_memdup2 (key, length);
> + strv[j][length - 1] = '\0';
> + j++;
> + }
> +--- a/gio/gwin32registrykey.c
> ++++ b/gio/gwin32registrykey.c
> +@@ -28,6 +28,8 @@
> + #include <ntstatus.h>
> + #include <winternl.h>
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + #ifndef _WDMDDK_
> + typedef enum _KEY_INFORMATION_CLASS {
> + KeyBasicInformation,
> +@@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const
> + new_iter->value_name_size = iter->value_name_size;
> +
> + if (iter->value_data != NULL)
> +- new_iter->value_data = g_memdup (iter->value_data, iter-
> >value_data_size);
> ++ new_iter->value_data = g_memdup2 (iter->value_data, iter-
> >value_data_size);
> +
> + new_iter->value_data_size = iter->value_data_size;
> +
> +@@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const
> + new_iter->value_data_expanded_charsize = iter-
> >value_data_expanded_charsize;
> +
> + if (iter->value_data_expanded_u8 != NULL)
> +- new_iter->value_data_expanded_u8 = g_memdup (iter-
> >value_data_expanded_u8,
> +- iter-
> >value_data_expanded_charsize);
> ++ new_iter->value_data_expanded_u8 = g_memdup2 (iter-
> >value_data_expanded_u8,
> ++ iter-
> >value_data_expanded_charsize);
> +
> + new_iter->value_data_expanded_u8_size = iter-
> >value_data_expanded_charsize;
> +
> +--- a/gio/tests/async-close-output-stream.c
> ++++ b/gio/tests/async-close-output-stream.c
> +@@ -24,6 +24,8 @@
> + #include <stdlib.h>
> + #include <string.h>
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + #define DATA_TO_WRITE "Hello world\n"
> +
> + typedef struct
> +@@ -147,9 +149,9 @@ prepare_data (SetupData *data,
> +
> + data->expected_size = g_memory_output_stream_get_data_size
> (G_MEMORY_OUTPUT_STREAM (data->data_stream));
> +
> +- g_assert_cmpint (data->expected_size, >, 0);
> ++ g_assert_cmpuint (data->expected_size, >, 0);
> +
> +- data->expected_output = g_memdup (written, (guint)data-
> >expected_size);
> ++ data->expected_output = g_memdup2 (written, data->expected_size);
> +
> + /* then recreate the streams and prepare them for the asynchronous
> close */
> + destroy_streams (data);
> +--- a/gio/tests/gdbus-export.c
> ++++ b/gio/tests/gdbus-export.c
> +@@ -23,6 +23,7 @@
> + #include <string.h>
> +
> + #include "gdbus-tests.h"
> ++#include "gstrfuncsprivate.h"
> +
> + /* all tests rely on a shared mainloop */
> + static GMainLoop *loop = NULL;
> +@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection
> + g_assert_not_reached ();
> + }
> +
> +- return g_memdup (interfaces, 2 * sizeof (void *));
> ++ return g_memdup2 (interfaces, 2 * sizeof (void *));
> + }
> +
> + static const GDBusInterfaceVTable *
> +@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnect
> + {
> + const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info,
> NULL };
> +
> +- return g_memdup (interfaces, 2 * sizeof (void *));
> ++ return g_memdup2 (interfaces, 2 * sizeof (void *));
> + }
> +
> + static const GDBusInterfaceVTable *
> +--- a/gio/win32/gwinhttpfile.c
> ++++ b/gio/win32/gwinhttpfile.c
> +@@ -29,6 +29,7 @@
> + #include "gio/gfile.h"
> + #include "gio/gfileattribute.h"
> + #include "gio/gfileinfo.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gwinhttpfile.h"
> + #include "gwinhttpfileinputstream.h"
> + #include "gwinhttpfileoutputstream.h"
> +@@ -393,10 +394,10 @@
> + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
> + child->vfs = winhttp_file->vfs;
> + child->url = winhttp_file->url;
> +- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme,
> (winhttp_file->url.dwSchemeLength+1)*2);
> +- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName,
> (winhttp_file->url.dwHostNameLength+1)*2);
> +- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName,
> (winhttp_file->url.dwUserNameLength+1)*2);
> +- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword,
> (winhttp_file->url.dwPasswordLength+1)*2);
> ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme,
> (winhttp_file->url.dwSchemeLength+1)*2);
> ++ child->url.lpszHostName = g_memdup2 (winhttp_file-
> >url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
> ++ child->url.lpszUserName = g_memdup2 (winhttp_file-
> >url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
> ++ child->url.lpszPassword = g_memdup2 (winhttp_file-
> >url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
> + child->url.lpszUrlPath = wnew_path;
> + child->url.dwUrlPathLength = wcslen (wnew_path);
> + child->url.lpszExtraInfo = NULL;
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
> new file mode 100644
> index 0000000000..17a8ef80b2
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
> @@ -0,0 +1,130 @@
> +From 6110caea45b235420b98cd41d845cc92238f6781 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:39:25 +0000
> +Subject: [PATCH 03/11] gobject: Use g_memdup2() instead of g_memdup()
> in
> + obvious places
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Convert all the call sites which use `g_memdup()`’s length argument
> +trivially (for example, by passing a `sizeof()`), so that they use
> +`g_memdup2()` instead.
> +
> +In almost all of these cases the use of `g_memdup()` would not have
> +caused problems, but it will soon be deprecated, so best port away
> from
> +it.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gobject/gsignal.c | 3 ++-
> + gobject/gtype.c | 9 +++++----
> + gobject/gtypemodule.c | 3 ++-
> + gobject/tests/param.c | 4 +++-
> + 4 files changed, 12 insertions(+), 7 deletions(-)
> +
> +--- a/gobject/gsignal.c
> ++++ b/gobject/gsignal.c
> +@@ -28,6 +28,7 @@
> + #include <signal.h>
> +
> + #include "gsignal.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gtype-private.h"
> + #include "gbsearcharray.h"
> + #include "gvaluecollector.h"
> +@@ -1809,7 +1810,7 @@ g_signal_newv (const gchar *signal
> + node->single_va_closure_is_valid = FALSE;
> + node->flags = signal_flags & G_SIGNAL_FLAGS_MASK;
> + node->n_params = n_params;
> +- node->param_types = g_memdup (param_types, sizeof (GType) *
> n_params);
> ++ node->param_types = g_memdup2 (param_types, sizeof (GType) *
> n_params);
> + node->return_type = return_type;
> + node->class_closure_bsa = NULL;
> + if (accumulator)
> +--- a/gobject/gtype.c
> ++++ b/gobject/gtype.c
> +@@ -33,6 +33,7 @@
> +
> + #include "glib-private.h"
> + #include "gconstructor.h"
> ++#include "gstrfuncsprivate.h"
> +
> + #ifdef G_OS_WIN32
> + #include <windows.h>
> +@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode
> + iholder->next = iface_node_get_holders_L (iface);
> + iface_node_set_holders_W (iface, iholder);
> + iholder->instance_type = NODE_TYPE (node);
> +- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL;
> ++ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL;
> + iholder->plugin = plugin;
> +
> + /* create an iface entry for this type */
> +@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (Type
> + INVALID_RECURSION ("g_type_plugin_*", iholder->plugin,
> NODE_NAME (iface));
> +
> + check_interface_info_I (iface, instance_type, &tmp_info);
> +- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info));
> ++ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info));
> + }
> +
> + return iholder; /* we don't modify write lock upon returning
> NULL */
> +@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode
> + IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface);
> +
> + if (pentry)
> +- vtable = g_memdup (pentry->vtable, iface->data-
> >iface.vtable_size);
> ++ vtable = g_memdup2 (pentry->vtable, iface->data-
> >iface.vtable_size);
> + }
> + if (!vtable)
> +- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data-
> >iface.vtable_size);
> ++ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data-
> >iface.vtable_size);
> + entry->vtable = vtable;
> + vtable->g_type = NODE_TYPE (iface);
> + vtable->g_instance_type = NODE_TYPE (node);
> +--- a/gobject/gtypemodule.c
> ++++ b/gobject/gtypemodule.c
> +@@ -19,6 +19,7 @@
> +
> + #include <stdlib.h>
> +
> ++#include "gstrfuncsprivate.h"
> + #include "gtypeplugin.h"
> + #include "gtypemodule.h"
> +
> +@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule
> + module_type_info->loaded = TRUE;
> + module_type_info->info = *type_info;
> + if (type_info->value_table)
> +- module_type_info->info.value_table = g_memdup (type_info-
> >value_table,
> ++ module_type_info->info.value_table = g_memdup2 (type_info-
> >value_table,
> + sizeof
> (GTypeValueTable));
> +
> + return module_type_info->type;
> +--- a/gobject/tests/param.c
> ++++ b/gobject/tests/param.c
> +@@ -2,6 +2,8 @@
> + #include <glib-object.h>
> + #include <stdlib.h>
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + static void
> + test_param_value (void)
> + {
> +@@ -874,7 +876,7 @@ main (int argc, char *argv[])
> + test_path = g_strdup_printf
> ("/param/implement/subprocess/%d-%d-%d-%d",
> + data.change_this_flag,
> data.change_this_type,
> + data.use_this_flag,
> data.use_this_type);
> +- test_data = g_memdup (&data, sizeof
> (TestParamImplementData));
> ++ test_data = g_memdup2 (&data, sizeof
> (TestParamImplementData));
> + g_test_add_data_func_full (test_path, test_data,
> test_param_implement_child, g_free);
> + g_free (test_path);
> + }
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
> new file mode 100644
> index 0000000000..b6d441dba7
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
> @@ -0,0 +1,297 @@
> +Backport of:
> +
> +From 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:41:21 +0000
> +Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in
> obvious
> + places
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Convert all the call sites which use `g_memdup()`’s length argument
> +trivially (for example, by passing a `sizeof()` or an existing `gsize`
> +variable), so that they use `g_memdup2()` instead.
> +
> +In almost all of these cases the use of `g_memdup()` would not have
> +caused problems, but it will soon be deprecated, so best port away
> from
> +it
> +
> +In particular, this fixes an overflow within `g_bytes_new()`,
> identified
> +as GHSL-2021-045 by GHSL team member Kevin Backhouse.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Fixes: GHSL-2021-045
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + glib/gbytes.c | 6 ++++--
> + glib/gdir.c | 3 ++-
> + glib/ghash.c | 7 ++++---
> + glib/giochannel.c | 5 +++--
> + glib/gslice.c | 3 ++-
> + glib/gtestutils.c | 3 ++-
> + glib/gvariant.c | 7 ++++---
> + glib/gvarianttype.c | 3 ++-
> + glib/tests/array-test.c | 4 +++-
> + glib/tests/option-context.c | 6 ++++--
> + glib/tests/uri.c | 8 +++++---
> + 11 files changed, 35 insertions(+), 20 deletions(-)
> +
> +--- a/glib/gbytes.c
> ++++ b/glib/gbytes.c
> +@@ -34,6 +34,8 @@
> +
> + #include <string.h>
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + /**
> + * GBytes:
> + *
> +@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data,
> + {
> + g_return_val_if_fail (data != NULL || size == 0, NULL);
> +
> +- return g_bytes_new_take (g_memdup (data, size), size);
> ++ return g_bytes_new_take (g_memdup2 (data, size), size);
> + }
> +
> + /**
> +@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes,
> + * Copy: Non g_malloc (or compatible) allocator, or static
> memory,
> + * so we have to copy, and then unref.
> + */
> +- result = g_memdup (bytes->data, bytes->size);
> ++ result = g_memdup2 (bytes->data, bytes->size);
> + *size = bytes->size;
> + g_bytes_unref (bytes);
> + }
> +--- a/glib/gdir.c
> ++++ b/glib/gdir.c
> +@@ -37,6 +37,7 @@
> + #include "gconvert.h"
> + #include "gfileutils.h"
> + #include "gstrfuncs.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gtestutils.h"
> + #include "glibintl.h"
> +
> +@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path
> + return NULL;
> + #endif
> +
> +- return g_memdup (&dir, sizeof dir);
> ++ return g_memdup2 (&dir, sizeof dir);
> + }
> +
> + /**
> +--- a/glib/ghash.c
> ++++ b/glib/ghash.c
> +@@ -34,6 +34,7 @@
> + #include "gmacros.h"
> + #include "glib-private.h"
> + #include "gstrfuncs.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gatomic.h"
> + #include "gtestutils.h"
> + #include "gslice.h"
> +@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
> + if (hash_table->have_big_keys)
> + {
> + if (key != value)
> +- hash_table->values = g_memdup (hash_table->keys, sizeof
> (gpointer) * hash_table->size);
> ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof
> (gpointer) * hash_table->size);
> + /* Keys and values are both big now, so no need for further
> checks */
> + return;
> + }
> +@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
> + {
> + if (key != value)
> + {
> +- hash_table->values = g_memdup (hash_table->keys, sizeof
> (guint) * hash_table->size);
> ++ hash_table->values = g_memdup2 (hash_table->keys,
> sizeof (guint) * hash_table->size);
> + is_a_set = FALSE;
> + }
> + }
> +@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
> +
> + /* Just split if necessary */
> + if (is_a_set && key != value)
> +- hash_table->values = g_memdup (hash_table->keys, sizeof
> (gpointer) * hash_table->size);
> ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof
> (gpointer) * hash_table->size);
> +
> + #endif
> + }
> +--- a/glib/giochannel.c
> ++++ b/glib/giochannel.c
> +@@ -35,7 +35,7 @@
> + #include <errno.h>
> +
> + #include "giochannel.h"
> +-
> ++#include "gstrfuncsprivate.h"
> + #include "gstrfuncs.h"
> + #include "gtestutils.h"
> + #include "glibintl.h"
> +
> +@@ -1673,10 +1674,10 @@ g_io_channel_read_line (GIOChannel *cha
> +
> + /* Copy the read bytes (including any embedded nuls) and nul-
> terminate.
> + * `USE_BUF (channel)->str` is guaranteed to be nul-terminated
> as it’s a
> +- * #GString, so it’s safe to call g_memdup() with +1 length to
> allocate
> ++ * #GString, so it’s safe to call g_memdup2() with +1 length to
> allocate
> + * a nul-terminator. */
> + g_assert (USE_BUF (channel));
> +- line = g_memdup (USE_BUF (channel)->str, got_length + 1);
> ++ line = g_memdup2 (USE_BUF (channel)->str, got_length + 1);
> + line[got_length] = '\0';
> + *str_return = g_steal_pointer (&line);
> + g_string_erase (USE_BUF (channel), 0, got_length);
> +--- a/glib/gslice.c
> ++++ b/glib/gslice.c
> +@@ -41,6 +41,7 @@
> + #include "gmain.h"
> + #include "gmem.h" /* gslice.h */
> + #include "gstrfuncs.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gutils.h"
> + #include "gtrashstack.h"
> + #include "gtestutils.h"
> +@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig c
> + array[i++] = allocator->contention_counters[address];
> + array[i++] = allocator_get_magazine_threshold (allocator,
> address);
> + *n_values = i;
> +- return g_memdup (array, sizeof (array[0]) * *n_values);
> ++ return g_memdup2 (array, sizeof (array[0]) * *n_values);
> + default:
> + return NULL;
> + }
> +--- a/glib/gtestutils.c
> ++++ b/glib/gtestutils.c
> +@@ -49,6 +49,7 @@
> + #include "gpattern.h"
> + #include "grand.h"
> + #include "gstrfuncs.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gtimer.h"
> + #include "gslice.h"
> + #include "gspawn.h"
> +@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuf
> + if (p <= tbuffer->data->str + mlength)
> + {
> + g_string_erase (tbuffer->data, 0, mlength);
> +- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup
> (&msg, sizeof (msg)));
> ++ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2
> (&msg, sizeof (msg)));
> + return TRUE;
> + }
> +
> +--- a/glib/gvariant.c
> ++++ b/glib/gvariant.c
> +@@ -33,6 +33,7 @@
> +
> + #include <string.h>
> +
> ++#include "gstrfuncsprivate.h"
> +
> + /**
> + * SECTION:gvariant
> +@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value)
> + g_variant_ref_sink (value);
> +
> + return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT,
> +- g_memdup (&value, sizeof
> value),
> ++ g_memdup2 (&value, sizeof
> value),
> + 1, g_variant_is_trusted
> (value));
> + }
> +
> +@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVarian
> + return NULL;
> + }
> +
> +- data = g_memdup (elements, n_elements * element_size);
> ++ data = g_memdup2 (elements, n_elements * element_size);
> + value = g_variant_new_from_data (array_type, data,
> + n_elements * element_size,
> + FALSE, g_free, data);
> +@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *valu
> + if (length)
> + *length = size;
> +
> +- return g_memdup (original, size + 1);
> ++ return g_memdup2 (original, size + 1);
> + }
> +
> + /**
> +--- a/glib/gvarianttype.c
> ++++ b/glib/gvarianttype.c
> +@@ -28,6 +28,7 @@
> +
> + #include <string.h>
> +
> ++#include "gstrfuncsprivate.h"
> +
> + /**
> + * SECTION:gvarianttype
> +@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariant
> + g_assert (offset < sizeof buffer);
> + buffer[offset++] = ')';
> +
> +- return (GVariantType *) g_memdup (buffer, offset);
> ++ return (GVariantType *) g_memdup2 (buffer, offset);
> + }
> +
> + /**
> +--- a/glib/tests/array-test.c
> ++++ b/glib/tests/array-test.c
> +@@ -29,6 +29,8 @@
> + #include <string.h>
> + #include "glib.h"
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + /* Test data to be passed to any function which calls g_array_new(),
> providing
> + * the parameters for that call. Most #GArray tests should be
> repeated for all
> + * possible values of #ArrayTestData. */
> +@@ -1917,7 +1919,7 @@ byte_array_new_take (void)
> + GByteArray *gbarray;
> + guint8 *data;
> +
> +- data = g_memdup ("woooweeewow", 11);
> ++ data = g_memdup2 ("woooweeewow", 11);
> + gbarray = g_byte_array_new_take (data, 11);
> + g_assert (gbarray->data == data);
> + g_assert_cmpuint (gbarray->len, ==, 11);
> +--- a/glib/tests/option-context.c
> ++++ b/glib/tests/option-context.c
> +@@ -27,6 +27,8 @@
> + #include <string.h>
> + #include <locale.h>
> +
> ++#include "gstrfuncsprivate.h"
> ++
> + static GOptionEntry main_entries[] = {
> + { "main-switch", 0, 0,
> + G_OPTION_ARG_NONE, NULL,
> +@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv)
> + static char **
> + copy_stringv (char **argv, int argc)
> + {
> +- return g_memdup (argv, sizeof (char *) * (argc + 1));
> ++ return g_memdup2 (argv, sizeof (char *) * (argc + 1));
> + }
> +
> + static void
> +@@ -2323,7 +2325,7 @@ test_group_parse (void)
> + g_option_context_add_group (context, group);
> +
> + argv = split_string ("program --test arg1 -f arg2 --group-test arg3
> --frob arg4 -z arg5", &argc);
> +- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *));
> ++ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *));
> +
> + retval = g_option_context_parse (context, &argc, &argv, &error);
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
> new file mode 100644
> index 0000000000..4cd678703f
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
> @@ -0,0 +1,53 @@
> +From 0cbad673215ec8a049b7fe2ff44b0beed31b376e Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 16:12:24 +0000
> +Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when
> + calculating a size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s,
> i.e.
> +32-bit unsigned integers. Adding to and multiplying them may cause
> them
> +to overflow the unsigned integer bounds, even if the result is passed
> to
> +`g_memdup2()` which accepts a `gsize`.
> +
> +Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
> +arithmetic is done in terms of `gsize`s rather than unsigned integers.
> +
> +Spotted by Sebastian Dröge.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/win32/gwinhttpfile.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c
> +index 3f8fbd838..e0340e247 100644
> +--- a/gio/win32/gwinhttpfile.c
> ++++ b/gio/win32/gwinhttpfile.c
> +@@ -410,10 +410,10 @@ g_winhttp_file_resolve_relative_path (GFile
> *file,
> + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
> + child->vfs = winhttp_file->vfs;
> + child->url = winhttp_file->url;
> +- child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme,
> (winhttp_file->url.dwSchemeLength+1)*2);
> +- child->url.lpszHostName = g_memdup2 (winhttp_file-
> >url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
> +- child->url.lpszUserName = g_memdup2 (winhttp_file-
> >url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
> +- child->url.lpszPassword = g_memdup2 (winhttp_file-
> >url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
> ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme,
> ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2);
> ++ child->url.lpszHostName = g_memdup2 (winhttp_file-
> >url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) *
> 2);
> ++ child->url.lpszUserName = g_memdup2 (winhttp_file-
> >url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) *
> 2);
> ++ child->url.lpszPassword = g_memdup2 (winhttp_file-
> >url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) *
> 2);
> + child->url.lpszUrlPath = wnew_path;
> + child->url.dwUrlPathLength = wcslen (wnew_path);
> + child->url.lpszExtraInfo = NULL;
> +--
> +GitLab
> +
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
> new file mode 100644
> index 0000000000..e03681d21c
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
> @@ -0,0 +1,100 @@
> +From f9ee2275cbc312c0b4cdbc338a4fbb76eb36fb9a Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:49:00 +0000
> +Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len
> internally as
> + gsize
> +
> +Previously it was handled as a `gssize`, which meant that if the
> +`stop_chars` string was longer than `G_MAXSSIZE` there would be an
> +overflow.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/gdatainputstream.c | 25 +++++++++++++++++--------
> + 1 file changed, 17 insertions(+), 8 deletions(-)
> +
> +diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c
> +index 2e7750cb5..2cdcbda19 100644
> +--- a/gio/gdatainputstream.c
> ++++ b/gio/gdatainputstream.c
> +@@ -27,6 +27,7 @@
> + #include "gioenumtypes.h"
> + #include "gioerror.h"
> + #include "glibintl.h"
> ++#include "gstrfuncsprivate.h"
> +
> + #include <string.h>
> +
> +@@ -856,7 +857,7 @@ static gssize
> + scan_for_chars (GDataInputStream *stream,
> + gsize *checked_out,
> + const char *stop_chars,
> +- gssize stop_chars_len)
> ++ gsize stop_chars_len)
> + {
> + GBufferedInputStream *bstream;
> + const char *buffer;
> +@@ -952,7 +953,7 @@ typedef struct
> + gsize checked;
> +
> + gchar *stop_chars;
> +- gssize stop_chars_len;
> ++ gsize stop_chars_len;
> + gsize length;
> + } GDataInputStreamReadData;
> +
> +@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async
> (GDataInputStream *stream,
> + {
> + GDataInputStreamReadData *data;
> + GTask *task;
> ++ gsize stop_chars_len_unsigned;
> +
> + data = g_slice_new0 (GDataInputStreamReadData);
> +- if (stop_chars_len == -1)
> +- stop_chars_len = strlen (stop_chars);
> +- data->stop_chars = g_memdup (stop_chars, stop_chars_len);
> +- data->stop_chars_len = stop_chars_len;
> ++
> ++ if (stop_chars_len < 0)
> ++ stop_chars_len_unsigned = strlen (stop_chars);
> ++ else
> ++ stop_chars_len_unsigned = (gsize) stop_chars_len;
> ++
> ++ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned);
> ++ data->stop_chars_len = stop_chars_len_unsigned;
> + data->last_saw_cr = FALSE;
> +
> + task = g_task_new (stream, cancellable, callback, user_data);
> +@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto
> (GDataInputStream *stream,
> + gssize found_pos;
> + gssize res;
> + char *data_until;
> ++ gsize stop_chars_len_unsigned;
> +
> + g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL);
> +
> + if (stop_chars_len < 0)
> +- stop_chars_len = strlen (stop_chars);
> ++ stop_chars_len_unsigned = strlen (stop_chars);
> ++ else
> ++ stop_chars_len_unsigned = (gsize) stop_chars_len;
> +
> + bstream = G_BUFFERED_INPUT_STREAM (stream);
> +
> + checked = 0;
> +
> +- while ((found_pos = scan_for_chars (stream, &checked, stop_chars,
> stop_chars_len)) == -1)
> ++ while ((found_pos = scan_for_chars (stream, &checked, stop_chars,
> stop_chars_len_unsigned)) == -1)
> + {
> + if (g_buffered_input_stream_get_available (bstream) ==
> + g_buffered_input_stream_get_buffer_size (bstream))
> +--
> +GitLab
> +
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 07.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
> new file mode 100644
> index 0000000000..b3a32dfbc9
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
> @@ -0,0 +1,75 @@
> +From 2aaf593a9eb96d84fe3be740aca2810a97d95592 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:50:37 +0000
> +Subject: [PATCH 07/11] gwin32: Use gsize internally in g_wcsdup()
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +This allows it to handle strings up to length `G_MAXSIZE` — previously
> +it would overflow with such strings.
> +
> +Update the several copies of it identically.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/gwin32registrykey.c | 34 ++++++++++++++++++++++++++--------
> + 2 files changed, 38 insertions(+), 16 deletions(-)
> +
> +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c
> +index 548a94188..2eb67daf8 100644
> +--- a/gio/gwin32registrykey.c
> ++++ b/gio/gwin32registrykey.c
> +@@ -127,16 +127,34 @@ typedef enum
> + G_WIN32_REGISTRY_UPDATED_PATH = 1,
> + } GWin32RegistryKeyUpdateFlag;
> +
> ++static gsize
> ++g_utf16_len (const gunichar2 *str)
> ++{
> ++ gsize result;
> ++
> ++ for (result = 0; str[0] != 0; str++, result++)
> ++ ;
> ++
> ++ return result;
> ++}
> ++
> + static gunichar2 *
> +-g_wcsdup (const gunichar2 *str,
> +- gssize str_size)
> ++g_wcsdup (const gunichar2 *str, gssize str_len)
> + {
> +- if (str_size == -1)
> +- {
> +- str_size = wcslen (str) + 1;
> +- str_size *= sizeof (gunichar2);
> +- }
> +- return g_memdup (str, str_size);
> ++ gsize str_len_unsigned;
> ++ gsize str_size;
> ++
> ++ g_return_val_if_fail (str != NULL, NULL);
> ++
> ++ if (str_len < 0)
> ++ str_len_unsigned = g_utf16_len (str);
> ++ else
> ++ str_len_unsigned = (gsize) str_len;
> ++
> ++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
> ++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
> ++
> ++ return g_memdup2 (str, str_size);
> + }
> +
> + /**
> +--
> +GitLab
> +
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 08.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
> new file mode 100644
> index 0000000000..b36e1908c5
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
> @@ -0,0 +1,100 @@
> +From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 13:58:32 +0000
> +Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when
> + converting paths
> +
> +Previously, the code in `convert_path()` could not handle keys longer
> +than `G_MAXINT`, and would overflow if that was exceeded.
> +
> +Convert the code to use `gsize` and `g_memdup2()` throughout, and
> +change from identifying the position of the final slash in the string
> +using a signed offset `i`, to using a pointer to the character (and
> +`strrchr()`). This allows the slash to be at any position in a
> +`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
> +indicating whether a slash was found.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/gkeyfilesettingsbackend.c | 21 ++++++++++-----------
> + 1 file changed, 10 insertions(+), 11 deletions(-)
> +
> +diff --git a/gio/gkeyfilesettingsbackend.c
> b/gio/gkeyfilesettingsbackend.c
> +index cd5765afd..25b057672 100644
> +--- a/gio/gkeyfilesettingsbackend.c
> ++++ b/gio/gkeyfilesettingsbackend.c
> +@@ -33,6 +33,7 @@
> + #include "gfilemonitor.h"
> + #include "gsimplepermission.h"
> + #include "gsettingsbackendinternal.h"
> ++#include "gstrfuncsprivate.h"
> + #include "giomodule-priv.h"
> + #include "gportalsupport.h"
> +
> +@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb,
> + gchar **group,
> + gchar **basename)
> + {
> +- gint key_len = strlen (key);
> +- gint i;
> ++ gsize key_len = strlen (key);
> ++ const gchar *last_slash;
> +
> + if (key_len < kfsb->prefix_len ||
> + memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
> +@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend *kfsb,
> + key_len -= kfsb->prefix_len;
> + key += kfsb->prefix_len;
> +
> +- for (i = key_len; i >= 0; i--)
> +- if (key[i] == '/')
> +- break;
> ++ last_slash = strrchr (key, '/');
> +
> + if (kfsb->root_group)
> + {
> + /* if a root_group was specified, make sure the user hasn't
> given
> + * a path that ghosts that group name
> + */
> +- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group,
> i) == 0)
> ++ if (last_slash != NULL && (last_slash - key) == kfsb-
> >root_group_len && memcmp (key, kfsb->root_group, last_slash - key) ==
> 0)
> + return FALSE;
> + }
> + else
> + {
> + /* if no root_group was given, ensure that the user gave a path
> */
> +- if (i == -1)
> ++ if (last_slash == NULL)
> + return FALSE;
> + }
> +
> + if (group)
> + {
> +- if (i >= 0)
> ++ if (last_slash != NULL)
> + {
> +- *group = g_memdup (key, i + 1);
> +- (*group)[i] = '\0';
> ++ *group = g_memdup2 (key, (last_slash - key) + 1);
> ++ (*group)[(last_slash - key)] = '\0';
> + }
> + else
> + *group = g_strdup (kfsb->root_group);
> + }
> +
> + if (basename)
> +- *basename = g_memdup (key + i + 1, key_len - i);
> ++ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash -
> key));
> +
> + return TRUE;
> + }
> +--
> +GitLab
> +
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 09.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
> new file mode 100644
> index 0000000000..aa94397e4c
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
> @@ -0,0 +1,99 @@
> +From 65ec7f4d6e8832c481f6e00e2eb007b9a60024ce Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 14:00:53 +0000
> +Subject: [PATCH 09/11] =?UTF-
> 8?q?gsocket:=20Use=20gsize=20to=20track=20nat?=
> + =?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Don’t use an `int`, that’s potentially too small. In practical terms,
> +this is not a problem, since no socket address is going to be that
> big.
> +
> +By making these changes we can use `g_memdup2()` without warnings,
> +though. Fewer warnings is good.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/gsocket.c | 16 ++++++++++------
> + 1 file changed, 10 insertions(+), 6 deletions(-)
> +
> +--- a/gio/gsocket.c
> ++++ b/gio/gsocket.c
> +@@ -75,6 +75,7 @@
> + #include "gcredentialsprivate.h"
> + #include "glibintl.h"
> + #include "gioprivate.h"
> ++#include "gstrfuncsprivate.h"
> +
> + #ifdef G_OS_WIN32
> + /* For Windows XP runtime compatibility, but use the system's
> if_nametoindex() if available */
> +@@ -174,7 +175,7 @@ static gboolean g_socket_datagram_ba
> +
> GError **error);
> +
> + static GSocketAddress *
> +-cache_recv_address (GSocket *socket, struct sockaddr *native, int
> native_len);
> ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t
> native_len);
> +
> + static gssize
> + g_socket_receive_message_with_timeout (GSocket
> *socket,
> +@@ -260,7 +261,7 @@ struct _GSocketPrivate
> + struct {
> + GSocketAddress *addr;
> + struct sockaddr *native;
> +- gint native_len;
> ++ gsize native_len;
> + guint64 last_used;
> + } recv_addr_cache[RECV_ADDR_CACHE_SIZE];
> + };
> +@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSo
> + }
> +
> + static GSocketAddress *
> +-cache_recv_address (GSocket *socket, struct sockaddr *native, int
> native_len)
> ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t
> native_len)
> + {
> + GSocketAddress *saddr;
> + gint i;
> + guint64 oldest_time = G_MAXUINT64;
> + gint oldest_index = 0;
> +
> +- if (native_len <= 0)
> ++ if (native_len == 0)
> + return NULL;
> +
> + saddr = NULL;
> +@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, str
> + {
> + GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr;
> + gpointer tmp_native = socket->priv->recv_addr_cache[i].native;
> +- gint tmp_native_len = socket->priv-
> >recv_addr_cache[i].native_len;
> ++ gsize tmp_native_len = socket->priv-
> >recv_addr_cache[i].native_len;
> +
> + if (!tmp)
> + continue;
> +@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, str
> + g_free (socket->priv->recv_addr_cache[oldest_index].native);
> + }
> +
> +- socket->priv->recv_addr_cache[oldest_index].native = g_memdup
> (native, native_len);
> ++ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2
> (native, native_len);
> + socket->priv->recv_addr_cache[oldest_index].native_len =
> native_len;
> + socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref
> (saddr);
> + socket->priv->recv_addr_cache[oldest_index].last_used =
> g_get_monotonic_time ();
> +@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (G
> + /* do it */
> + while (1)
> + {
> ++ /* addrlen has to be of type int because that’s how
> WSARecvFrom() is defined */
> ++ G_STATIC_ASSERT (sizeof addr <= G_MAXINT);
> ++
> + addrlen = sizeof addr;
> + if (address)
> + result = WSARecvFrom (socket->priv->fd,
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 10.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
> new file mode 100644
> index 0000000000..ff503a6ffb
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
> @@ -0,0 +1,58 @@
> +From 777b95a88f006d39d9fe6d3321db17e7b0d4b9a4 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 14:07:39 +0000
> +Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The public API `g_tls_password_set_value_full()` (and the vfunc it
> +invokes) can only accept a `gssize` length. Ensure that nul-terminated
> +strings passed to `g_tls_password_set_value()` can’t exceed that
> length.
> +Use `g_memdup2()` to avoid an overflow if they’re longer than
> +`G_MAXUINT` similarly.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/gtlspassword.c | 10 ++++++++--
> + 1 file changed, 8 insertions(+), 2 deletions(-)
> +
> +diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
> +index 1e437a7b6..dbcec41a8 100644
> +--- a/gio/gtlspassword.c
> ++++ b/gio/gtlspassword.c
> +@@ -23,6 +23,7 @@
> + #include "glibintl.h"
> +
> + #include "gioenumtypes.h"
> ++#include "gstrfuncsprivate.h"
> + #include "gtlspassword.h"
> +
> + #include <string.h>
> +@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword
> *password,
> + g_return_if_fail (G_IS_TLS_PASSWORD (password));
> +
> + if (length < 0)
> +- length = strlen ((gchar *)value);
> ++ {
> ++ /* FIXME: g_tls_password_set_value_full() doesn’t support
> unsigned gsize */
> ++ gsize length_unsigned = strlen ((gchar *) value);
> ++ g_return_if_fail (length_unsigned > G_MAXSSIZE);
> ++ length = (gssize) length_unsigned;
> ++ }
> +
> +- g_tls_password_set_value_full (password, g_memdup (value, length),
> length, g_free);
> ++ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize)
> length), length, g_free);
> + }
> +
> + /**
> +--
> +GitLab
> +
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-
> 11.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
> new file mode 100644
> index 0000000000..c2c761d648
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
> @@ -0,0 +1,62 @@
> +From ecdf91400e9a538695a0895b95ad7e8abcdf1749 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Thu, 4 Feb 2021 14:09:40 +0000
> +Subject: [PATCH 11/11] giochannel: Forbid very long line terminator
> strings
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The public API `GIOChannel.line_term_len` is only a `guint`. Ensure
> that
> +nul-terminated strings passed to `g_io_channel_set_line_term()` can’t
> +exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()`
> +is due to be deprecated), but not to avoid a bug, since it’s also
> +limited to `G_MAXUINT`.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +Helps: #2319
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-27219
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + glib/giochannel.c | 17 +++++++++++++----
> + 1 file changed, 13 insertions(+), 4 deletions(-)
> +
> +diff --git a/glib/giochannel.c b/glib/giochannel.c
> +index c6a89d6e0..4dec20f77 100644
> +--- a/glib/giochannel.c
> ++++ b/glib/giochannel.c
> +@@ -887,16 +887,25 @@ g_io_channel_set_line_term
> (GIOChannel *channel,
> + const gchar *line_term,
> + gint length)
> + {
> ++ guint length_unsigned;
> ++
> + g_return_if_fail (channel != NULL);
> + g_return_if_fail (line_term == NULL || length != 0); /* Disallow ""
> */
> +
> + if (line_term == NULL)
> +- length = 0;
> +- else if (length < 0)
> +- length = strlen (line_term);
> ++ length_unsigned = 0;
> ++ else if (length >= 0)
> ++ length_unsigned = (guint) length;
> ++ else
> ++ {
> ++ /* FIXME: We’re constrained by line_term_len being a guint here
> */
> ++ gsize length_size = strlen (line_term);
> ++ g_return_if_fail (length_size > G_MAXUINT);
> ++ length_unsigned = (guint) length_size;
> ++ }
> +
> + g_free (channel->line_term);
> +- channel->line_term = line_term ? g_memdup (line_term, length) :
> NULL;
> ++ channel->line_term = line_term ? g_memdup2 (line_term,
> length_unsigned) : NULL;
> + channel->line_term_len = length;
> + }
> +
> +--
> +GitLab
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
> b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
> new file mode 100644
> index 0000000000..eac6cbf630
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
> @@ -0,0 +1,26 @@
> +From 78420a75aeb70569a8cd79fa0fea7b786b6f785f Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Wed, 24 Feb 2021 17:33:38 +0000
> +Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-28153
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/glocalfileoutputstream.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +--- a/gio/glocalfileoutputstream.c
> ++++ b/gio/glocalfileoutputstream.c
> +@@ -851,7 +851,7 @@ handle_overwrite_open (const char *fi
> + mode = mode_from_flags_or_info (flags, reference_info);
> +
> + /* We only need read access to the original file if we are creating
> a backup.
> +- * We also add O_CREATE to avoid a race if the file was just
> removed */
> ++ * We also add O_CREAT to avoid a race if the file was just removed
> */
> + if (create_backup || readable)
> + open_flags = O_RDWR | O_CREAT | O_BINARY;
> + else
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
> b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
> new file mode 100644
> index 0000000000..9d0ab7b656
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
> @@ -0,0 +1,41 @@
> +From 32d3d02a50e7dcec5f4cf7908e7ac88d575d8fc5 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Wed, 24 Feb 2021 17:34:32 +0000
> +Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Since a following commit is going to add a new test which references
> +Gitlab, so it’s best to move the URI bases inside the test cases.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-28153
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/tests/file.c | 4 +---
> + 1 file changed, 1 insertion(+), 3 deletions(-)
> +
> +--- a/gio/tests/file.c
> ++++ b/gio/tests/file.c
> +@@ -685,7 +685,7 @@ test_replace_cancel (void)
> + guint count;
> + GError *error = NULL;
> +
> +- g_test_bug ("629301");
> ++ g_test_bug ("https://bugzilla.gnome.org/629301");
> +
> + path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error);
> + g_assert_no_error (error);
> +@@ -1784,8 +1784,6 @@ main (int argc, char *argv[])
> + {
> + g_test_init (&argc, &argv, NULL);
> +
> +- g_test_bug_base ("http://bugzilla.gnome.org/");
> +-
> + g_test_add_func ("/file/basic", test_basic);
> + g_test_add_func ("/file/build-filename", test_build_filename);
> + g_test_add_func ("/file/parent", test_parent);
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
> b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
> new file mode 100644
> index 0000000000..bdd5a27ad2
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
> @@ -0,0 +1,56 @@
> +Backport of:
> +
> +From ce0eb088a68171eed3ac217cb92a72e36eb57d1b Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Wed, 10 Mar 2021 16:05:55 +0000
> +Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check
> +
> +This clarifies the code a little. It introduces no functional changes.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-28153
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/glocalfileoutputstream.c | 7 ++++---
> + 1 file changed, 4 insertions(+), 3 deletions(-)
> +
> +--- a/gio/glocalfileoutputstream.c
> ++++ b/gio/glocalfileoutputstream.c
> +@@ -847,6 +847,7 @@ handle_overwrite_open (const char *fi
> + int res;
> + int mode;
> + int errsv;
> ++ gboolean replace_destination_set = (flags &
> G_FILE_CREATE_REPLACE_DESTINATION);
> +
> + mode = mode_from_flags_or_info (flags, reference_info);
> +
> +@@ -954,7 +955,7 @@ handle_overwrite_open (const char *fi
> + * to a backup file and rewrite the contents of the file.
> + */
> +
> +- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) ||
> ++ if (replace_destination_set ||
> + (!(original_stat.st_nlink > 1) && !is_symlink))
> + {
> + char *dirname, *tmp_filename;
> +@@ -973,7 +974,7 @@ handle_overwrite_open (const char *fi
> +
> + /* try to keep permissions (unless replacing) */
> +
> +- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) &&
> ++ if (!replace_destination_set &&
> + (
> + #ifdef HAVE_FCHOWN
> + fchown (tmpfd, original_stat.st_uid, original_stat.st_gid)
> == -1 ||
> +@@ -1112,7 +1113,7 @@ handle_overwrite_open (const char *fi
> + }
> + }
> +
> +- if (flags & G_FILE_CREATE_REPLACE_DESTINATION)
> ++ if (replace_destination_set)
> + {
> + g_close (fd, NULL);
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
> b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
> new file mode 100644
> index 0000000000..fbcb2bc546
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
> @@ -0,0 +1,264 @@
> +Backport of:
> +
> +From 317b3b587058a05dca95d56dac26568c5b098d33 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Wed, 24 Feb 2021 17:36:07 +0000
> +Subject: [PATCH 4/5] glocalfileoutputstream: Fix
> CREATE_REPLACE_DESTINATION
> + with symlinks
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to
> unlinking
> +the destination file and re-creating it from scratch. That did
> +previously work, but in the process the code would call
> `open(O_CREAT)`
> +on the file. If the file was a dangling symlink, this would create the
> +destination file (empty). That’s not an intended side-effect, and has
> +security implications if the symlink is controlled by a lower-
> privileged
> +process.
> +
> +Fix that by not opening the destination file if it’s a symlink, and
> +adjusting the rest of the code to cope with
> + - the fact that `fd == -1` is not an error iff `is_symlink` is true,
> + - and that `original_stat` will contain the `lstat()` results for the
> + symlink now, rather than the `stat()` results for its target
> (again,
> + iff `is_symlink` is true).
> +
> +This means that the target of the dangling symlink is no longer
> created,
> +which was the bug. The symlink itself continues to be replaced (as
> +before) with the new file — this is the intended behaviour of
> +`g_file_replace()`.
> +
> +The behaviour for non-symlink cases, or cases where the symlink was
> not
> +dangling, should be unchanged.
> +
> +Includes a unit test.
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +
> +Fixes: #2325
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-28153
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/glocalfileoutputstream.c | 77 ++++++++++++++++++-------
> + gio/tests/file.c | 108
> +++++++++++++++++++++++++++++++++++
> + 2 files changed, 163 insertions(+), 22 deletions(-)
> +
> +--- a/gio/glocalfileoutputstream.c
> ++++ b/gio/glocalfileoutputstream.c
> +@@ -875,16 +875,22 @@ handle_overwrite_open (const char *fi
> + /* Could be a symlink, or it could be a regular ELOOP error,
> + * but then the next open will fail too. */
> + is_symlink = TRUE;
> +- fd = g_open (filename, open_flags, mode);
> ++ if (!replace_destination_set)
> ++ fd = g_open (filename, open_flags, mode);
> + }
> +-#else
> +- fd = g_open (filename, open_flags, mode);
> +- errsv = errno;
> ++#else /* if !O_NOFOLLOW */
> + /* This is racy, but we do it as soon as possible to minimize the
> race */
> + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK);
> ++
> ++ if (!is_symlink || !replace_destination_set)
> ++ {
> ++ fd = g_open (filename, open_flags, mode);
> ++ errsv = errno;
> ++ }
> + #endif
> +
> +- if (fd == -1)
> ++ if (fd == -1 &&
> ++ (!is_symlink || !replace_destination_set))
> + {
> + char *display_name = g_filename_display_name (filename);
> + g_set_error (error, G_IO_ERROR,
> +@@ -898,7 +904,14 @@ handle_overwrite_open (const char *fi
> + #ifdef G_OS_WIN32
> + res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat);
> + #else
> +- res = fstat (fd, &original_stat);
> ++ if (!is_symlink)
> ++ {
> ++ res = fstat (fd, &original_stat);
> ++ }
> ++ else
> ++ {
> ++ res = lstat (filename, &original_stat);
> ++ }
> + #endif
> + errsv = errno;
> +
> +@@ -917,16 +930,27 @@ handle_overwrite_open (const char *fi
> + if (!S_ISREG (original_stat.st_mode))
> + {
> + if (S_ISDIR (original_stat.st_mode))
> +- g_set_error_literal (error,
> +- G_IO_ERROR,
> +- G_IO_ERROR_IS_DIRECTORY,
> +- _("Target file is a directory"));
> +- else
> +- g_set_error_literal (error,
> ++ {
> ++ g_set_error_literal (error,
> ++ G_IO_ERROR,
> ++ G_IO_ERROR_IS_DIRECTORY,
> ++ _("Target file is a directory"));
> ++ goto err_out;
> ++ }
> ++ else if (!is_symlink ||
> ++#ifdef S_ISLNK
> ++ !S_ISLNK (original_stat.st_mode)
> ++#else
> ++ FALSE
> ++#endif
> ++ )
> ++ {
> ++ g_set_error_literal (error,
> + G_IO_ERROR,
> + G_IO_ERROR_NOT_REGULAR_FILE,
> + _("Target file is not a regular file"));
> +- goto err_out;
> ++ goto err_out;
> ++ }
> + }
> +
> + if (etag != NULL)
> +@@ -1007,7 +1031,8 @@ handle_overwrite_open (const char *fi
> + }
> + }
> +
> +- g_close (fd, NULL);
> ++ if (fd >= 0)
> ++ g_close (fd, NULL);
> + *temp_filename = tmp_filename;
> + return tmpfd;
> + }
> +--- a/gio/tests/file.c
> ++++ b/gio/tests/file.c
> +@@ -805,6 +805,113 @@ test_replace_cancel (void)
> + }
> +
> + static void
> ++test_replace_symlink (void)
> ++{
> ++#ifdef G_OS_UNIX
> ++ gchar *tmpdir_path = NULL;
> ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL;
> ++ GFileOutputStream *stream = NULL;
> ++ const gchar *new_contents = "this is a test message which should be
> written to source and not target";
> ++ gsize n_written;
> ++ GFileEnumerator *enumerator = NULL;
> ++ GFileInfo *info = NULL;
> ++ gchar *contents = NULL;
> ++ gsize length = 0;
> ++ GError *local_error = NULL;
> ++
> ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325");
> ++ g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION
> doesn’t follow symlinks");
> ++
> ++ /* Create a fresh, empty working directory. */
> ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX",
> &local_error);
> ++ g_assert_no_error (local_error);
> ++ tmpdir = g_file_new_for_path (tmpdir_path);
> ++
> ++ g_test_message ("Using temporary directory %s", tmpdir_path);
> ++ g_free (tmpdir_path);
> ++
> ++ /* Create symlink `source` which points to `target`. */
> ++ source_file = g_file_get_child (tmpdir, "source");
> ++ target_file = g_file_get_child (tmpdir, "target");
> ++ g_file_make_symbolic_link (source_file, "target", NULL,
> &local_error);
> ++ g_assert_no_error (local_error);
> ++
> ++ /* Ensure that `target` doesn’t exist */
> ++ g_assert_false (g_file_query_exists (target_file, NULL));
> ++
> ++ /* Replace the `source` symlink with a regular file using
> ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it
> *without*
> ++ * following the symlink */
> ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */,
> ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL,
> &local_error);
> ++ g_assert_no_error (local_error);
> ++
> ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents,
> strlen (new_contents),
> ++ &n_written, NULL, &local_error);
> ++ g_assert_no_error (local_error);
> ++ g_assert_cmpint (n_written, ==, strlen (new_contents));
> ++
> ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL,
> &local_error);
> ++ g_assert_no_error (local_error);
> ++
> ++ g_clear_object (&stream);
> ++
> ++ /* At this point, there should still only be one file: `source`. It
> should
> ++ * now be a regular file. `target` should not exist. */
> ++ enumerator = g_file_enumerate_children (tmpdir,
> ++
> G_FILE_ATTRIBUTE_STANDARD_NAME ","
> ++
> G_FILE_ATTRIBUTE_STANDARD_TYPE,
> ++
> G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error);
> ++ g_assert_no_error (local_error);
> ++
> ++ info = g_file_enumerator_next_file (enumerator, NULL,
> &local_error);
> ++ g_assert_no_error (local_error);
> ++ g_assert_nonnull (info);
> ++
> ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source");
> ++ g_assert_cmpint (g_file_info_get_file_type (info), ==,
> G_FILE_TYPE_REGULAR);
> ++
> ++ g_clear_object (&info);
> ++
> ++ info = g_file_enumerator_next_file (enumerator, NULL,
> &local_error);
> ++ g_assert_no_error (local_error);
> ++ g_assert_null (info);
> ++
> ++ g_file_enumerator_close (enumerator, NULL, &local_error);
> ++ g_assert_no_error (local_error);
> ++ g_clear_object (&enumerator);
> ++
> ++ /* Double-check that `target` doesn’t exist */
> ++ g_assert_false (g_file_query_exists (target_file, NULL));
> ++
> ++ /* Check the content of `source`. */
> ++ g_file_load_contents (source_file,
> ++ NULL,
> ++ &contents,
> ++ &length,
> ++ NULL,
> ++ &local_error);
> ++ g_assert_no_error (local_error);
> ++ g_assert_cmpstr (contents, ==, new_contents);
> ++ g_assert_cmpuint (length, ==, strlen (new_contents));
> ++ g_free (contents);
> ++
> ++ /* Tidy up. */
> ++ g_file_delete (source_file, NULL, &local_error);
> ++ g_assert_no_error (local_error);
> ++
> ++ g_file_delete (tmpdir, NULL, &local_error);
> ++ g_assert_no_error (local_error);
> ++
> ++ g_clear_object (&target_file);
> ++ g_clear_object (&source_file);
> ++ g_clear_object (&tmpdir);
> ++#else /* if !G_OS_UNIX */
> ++ g_test_skip ("Symlink replacement tests can only be run on Unix")
> ++#endif
> ++}
> ++
> ++static void
> + on_file_deleted (GObject *object,
> + GAsyncResult *result,
> + gpointer user_data)
> +@@ -1797,6 +1904,7 @@ main (int argc, char *argv[])
> + g_test_add_data_func ("/file/async-create-delete/4096",
> GINT_TO_POINTER (4096), test_create_delete);
> + g_test_add_func ("/file/replace-load", test_replace_load);
> + g_test_add_func ("/file/replace-cancel", test_replace_cancel);
> ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink);
> + g_test_add_func ("/file/async-delete", test_async_delete);
> + g_test_add_func ("/file/copy-preserve-mode",
> test_copy_preserve_mode);
> + g_test_add_func ("/file/measure", test_measure);
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
> b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
> new file mode 100644
> index 0000000000..c8d2cdd203
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
> @@ -0,0 +1,54 @@
> +From 6c6439261bc7a8a0627519848a7222b3e1bd4ffe Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <pwithnall@endlessos.org>
> +Date: Wed, 24 Feb 2021 17:42:24 +0000
> +Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC
> flag to
> + replace()
> +
> +Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
> +
> +Upstream-Status: Backport
> [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz
> ]
> +CVE: CVE-2021-28153
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + gio/glocalfileoutputstream.c | 15 ++++++++++++---
> + 1 file changed, 12 insertions(+), 3 deletions(-)
> +
> +--- a/gio/glocalfileoutputstream.c
> ++++ b/gio/glocalfileoutputstream.c
> +@@ -58,6 +58,12 @@
> + #define O_BINARY 0
> + #endif
> +
> ++#ifndef O_CLOEXEC
> ++#define O_CLOEXEC 0
> ++#else
> ++#define HAVE_O_CLOEXEC 1
> ++#endif
> ++
> + struct _GLocalFileOutputStreamPrivate {
> + char *tmp_filename;
> + char *original_filename;
> +@@ -1223,7 +1229,7 @@ _g_local_file_output_stream_replace (con
> + sync_on_close = FALSE;
> +
> + /* If the file doesn't exist, create it */
> +- open_flags = O_CREAT | O_EXCL | O_BINARY;
> ++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
> + if (readable)
> + open_flags |= O_RDWR;
> + else
> +@@ -1253,8 +1259,11 @@ _g_local_file_output_stream_replace (con
> + set_error_from_open_errno (filename, error);
> + return NULL;
> + }
> +-
> +-
> ++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD)
> ++ else
> ++ fcntl (fd, F_SETFD, FD_CLOEXEC);
> ++#endif
> ++
> + stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL);
> + stream->priv->fd = fd;
> + stream->priv->sync_on_close = sync_on_close;
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
> b/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
> index 1a006b9f38..6272155d8c 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
> @@ -18,6 +18,23 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-
> ${PV}.tar.xz \
>
> file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch
> \
> file://tzdata-update.patch \
> file://CVE-2020-35457.patch \
> + file://CVE-2021-27218.patch \
> + file://CVE-2021-27219-01.patch \
> + file://CVE-2021-27219-02.patch \
> + file://CVE-2021-27219-03.patch \
> + file://CVE-2021-27219-04.patch \
> + file://CVE-2021-27219-05.patch \
> + file://CVE-2021-27219-06.patch \
> + file://CVE-2021-27219-07.patch \
> + file://CVE-2021-27219-08.patch \
> + file://CVE-2021-27219-09.patch \
> + file://CVE-2021-27219-10.patch \
> + file://CVE-2021-27219-11.patch \
> + file://CVE-2021-28153-1.patch \
> + file://CVE-2021-28153-2.patch \
> + file://CVE-2021-28153-3.patch \
> + file://CVE-2021-28153-4.patch \
> + file://CVE-2021-28153-5.patch \
> "
>
> SRC_URI_append_class-native = " file://relocate-modules.patch"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#158928):
> https://lists.openembedded.org/g/openembedded-core/message/158928
> Mute This Topic: https://lists.openembedded.org/mt/87373335/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [anuj.mittal@intel.com
> ]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread![[-- Attachment #2: Outlook-mwx5qyeh.png --] [-- Type: image/png, Size: 22485 bytes --]](../../PNZPR01MB527806B3C6ED06ECDC5DD27B8F679@PNZPR01MB5278.INDPRD01.PROD.OUTLOOK.COM/2-Outlook-mwx5qyeh.png){kind=link}