Openembedded Core Discussions
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: "Benjamin Robin" <benjamin.robin@bootlin.com>,
	<openembedded-core@lists.openembedded.org>
Cc: <olivier.benjamin@bootlin.com>,
	<mathieu.dubois-briand@bootlin.com>, <pascal.eberhard@se.com>,
	<wahid.essid@se.com>
Subject: Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
Date: Fri, 03 Jul 2026 15:53:15 +0200	[thread overview]
Message-ID: <DJOZILMNU3O5.3VMDRLWHGKGHU@smile.fr> (raw)
In-Reply-To: <wUwD7u-8QNWeO3TEktmZ1Q@bootlin.com>

On Fri Jul 3, 2026 at 3:46 PM CEST, Benjamin Robin wrote:
> Hello Yoann,
>
> On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
>> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
>> > A flaw was found in GLib. A state confusion issue exists in
>> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
>> > processing malformed D-Bus introspection XML, specifically with a <node>
>> > element nested within other elements like <method>, <signal>, <property>
>> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
>> > out-of-bounds read, resulting in a denial of service.
>> >
>> > Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
>> > ---
>> >  .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch       | 92 +++++++++++++++++++++
>> >  .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch       | 96 ++++++++++++++++++++++
>> >  meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |  2 +
>> 
>> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
>> a patch for wrynose so I can accept this on scarthgap?
>
> The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.

Then,
* NVD is wrong(?). Can you send a modification request so we avoid false
  negatives (those are the worst ones!)
* And, in that case, master is also impacted and need a fix.

Thanks!

> I am sending a patch right now.
>
>> 
>> Thanks!
>> 


-- 
Yoann Congal
Smile ECS



  reply	other threads:[~2026-07-03 13:53 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 13:25 [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016 Benjamin Robin (Schneider Electric)
2026-07-03 13:33 ` [OE-core] " Yoann Congal
2026-07-03 13:46   ` Benjamin Robin
2026-07-03 13:53     ` Yoann Congal [this message]
2026-07-03 14:42       ` Benjamin Robin
2026-07-03 15:05         ` Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJOZILMNU3O5.3VMDRLWHGKGHU@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=benjamin.robin@bootlin.com \
    --cc=mathieu.dubois-briand@bootlin.com \
    --cc=olivier.benjamin@bootlin.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=pascal.eberhard@se.com \
    --cc=wahid.essid@se.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox