* [OE-core][kirkstone][PATCH v2] glib-2.0: patch CVE-2026-0988
@ 2026-02-20 16:20 Peter Marko
0 siblings, 0 replies; only message in thread
From: Peter Marko @ 2026-02-20 16:20 UTC (permalink / raw)
To: openembedded-core; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
Pick relevant commit from [2] linked from [1].
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
v2: rebase above additional patches merged meanwhile
.../glib-2.0/glib-2.0/CVE-2026-0988.patch | 58 +++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 +
2 files changed, 59 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
new file mode 100644
index 00000000000..1cdc3735edf
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
@@ -0,0 +1,58 @@
+From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 18 Dec 2025 23:12:18 +0000
+Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
+ peek()
+
+If the caller provides `offset` and `count` arguments which overflow,
+their sum will overflow and could lead to `memcpy()` reading out more
+memory than expected.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3851
+
+CVE: CVE-2026-0988
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gio/gbufferedinputstream.c | 2 +-
+ gio/tests/buffered-input-stream.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
+index 9e6bacc62..56d656be0 100644
+--- a/gio/gbufferedinputstream.c
++++ b/gio/gbufferedinputstream.c
+@@ -588,7 +588,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
+
+ available = g_buffered_input_stream_get_available (stream);
+
+- if (offset > available)
++ if (offset > available || offset > G_MAXSIZE - count)
+ return 0;
+
+ end = MIN (offset + count, available);
+diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
+index a1af4eeff..2b2a0d9aa 100644
+--- a/gio/tests/buffered-input-stream.c
++++ b/gio/tests/buffered-input-stream.c
+@@ -58,6 +58,16 @@ test_peek (void)
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
++ buffer = g_new0 (char, 64);
++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
++ g_assert_cmpint (npeek, ==, 0);
++ g_free (buffer);
++
++ buffer = g_new0 (char, 64);
++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
++ g_assert_cmpint (npeek, ==, 0);
++ g_free (buffer);
++
+ g_object_unref (in);
+ g_object_unref (base);
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 50701be3d03..7c0ed01f555 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -70,6 +70,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-14087-02.patch \
file://CVE-2025-14087-03.patch \
file://CVE-2025-14512.patch \
+ file://CVE-2026-0988.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-20 16:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-20 16:20 [OE-core][kirkstone][PATCH v2] glib-2.0: patch CVE-2026-0988 Peter Marko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox