From: Benjamin Robin <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
Yoann Congal <yoann.congal@smile.fr>
Cc: olivier.benjamin@bootlin.com, mathieu.dubois-briand@bootlin.com,
pascal.eberhard@se.com, wahid.essid@se.com
Subject: Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
Date: Fri, 03 Jul 2026 16:42:15 +0200 [thread overview]
Message-ID: <knWe4ZSRSj6lGOsQSiMYKg@bootlin.com> (raw)
In-Reply-To: <DJOZILMNU3O5.3VMDRLWHGKGHU@smile.fr>
On Friday, July 3, 2026 at 3:53 PM, Yoann Congal wrote:
> On Fri Jul 3, 2026 at 3:46 PM CEST, Benjamin Robin wrote:
> > Hello Yoann,
> >
> > On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
> >> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> >> > ---
> >> > .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
> >> > .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
> >> > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
> >>
> >> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
> >> a patch for wrynose so I can accept this on scarthgap?
> >
> > The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.
>
> Then,
> * NVD is wrong(?). Can you send a modification request so we avoid false
> negatives (those are the worst ones!)
Yes, this was in my (very) long TODO list.
The commit fixing this issue is [1] and it was never backported.
The version 2.88.2 does not have the fix.
I am going to to that now :)
> * And, in that case, master is also impacted and need a fix.
I have sent:
- A patch for master upgrading to 2.89.1
- A patch for wrynose with the patches applied on 2.88.0
[1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-07-03 14:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 13:25 [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016 Benjamin Robin (Schneider Electric)
2026-07-03 13:33 ` [OE-core] " Yoann Congal
2026-07-03 13:46 ` Benjamin Robin
2026-07-03 13:53 ` Yoann Congal
2026-07-03 14:42 ` Benjamin Robin [this message]
2026-07-03 15:05 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=knWe4ZSRSj6lGOsQSiMYKg@bootlin.com \
--to=benjamin.robin@bootlin.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=pascal.eberhard@se.com \
--cc=wahid.essid@se.com \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox