* [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
@ 2026-07-03 13:25 Benjamin Robin (Schneider Electric)
2026-07-03 13:33 ` [OE-core] " Yoann Congal
0 siblings, 1 reply; 6+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-03 13:25 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
A flaw was found in GLib. A state confusion issue exists in
g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
processing malformed D-Bus introspection XML, specifically with a <node>
element nested within other elements like <method>, <signal>, <property>
or <arg>. This issue can cause an unsigned integer overflow and lead to an
out-of-bounds read, resulting in a denial of service.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
3 files changed, 190 insertions(+)
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-1.patch
new file mode 100644
index 000000000000..ee6321361455
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-1.patch
@@ -0,0 +1,92 @@
+From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:27:37 +0100
+Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for
+ <node> element nesting
+
+The check for whether a `<node>` element in D-Bus introspection XML was
+nested correctly was broken. `<node>` elements can only be at the top
+level, or nested immediately within another `<node>` element.
+
+Fix the check and add some unit tests for it.
+
+Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test
+uses example XML strings adapted from their report.
+
+Fixes: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 2 +-
+ gio/tests/gdbus-introspection.c | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index c7be334ce2f7..6f722ee6153d 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1272,7 +1272,7 @@ parser_start_element (GMarkupParseContext *context,
+ /* ---------------------------------------------------------------------------------------------------- */
+ if (strcmp (element_name, "node") == 0)
+ {
+- if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0))
++ if (stack->next != NULL && strcmp (stack->next->data, "node") != 0)
+ {
+ g_set_error_literal (error,
+ G_MARKUP_ERROR,
+diff --git a/gio/tests/gdbus-introspection.c b/gio/tests/gdbus-introspection.c
+index 44cb7a96af45..daca313f77e7 100644
+--- a/gio/tests/gdbus-introspection.c
++++ b/gio/tests/gdbus-introspection.c
+@@ -299,6 +299,38 @@ test_extra_data (void)
+ g_dbus_node_info_unref (info);
+ }
+
++static void
++test_invalid (void)
++{
++ const struct
++ {
++ const char *xml;
++ GMarkupError expected_error_code;
++ }
++ vectors[] =
++ {
++ { "", G_MARKUP_ERROR_EMPTY },
++ { "<node><interface name=\"I\"><method name=\"M\"><node><interface name=\"I2\"></interface></node></method>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><signal name=\"S\"><node><interface name=\"I2\"><signal name=\"S2\"></signal></interface></node></signal>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><property name=\"P\" type=\"s\" access=\"read\"><node><interface name=\"I2\"></interface></node></property>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><method name=\"M\"><arg type=\"\"><node><interface name=\"I2\"><method name=\"M2\"></method></interface></node></arg>", G_MARKUP_ERROR_INVALID_CONTENT },
++ };
++
++ for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++)
++ {
++ GDBusNodeInfo *node;
++ GError *local_error = NULL;
++
++ g_test_message ("Testing parsing of %s gives an error", vectors[i].xml);
++
++ node = g_dbus_node_info_new_for_xml (vectors[i].xml, &local_error);
++ g_assert_error (local_error, G_MARKUP_ERROR, (int) vectors[i].expected_error_code);
++ g_assert_null (node);
++
++ g_clear_error (&local_error);
++ }
++}
++
+ /* ---------------------------------------------------------------------------------------------------- */
+
+ int
+@@ -316,6 +348,7 @@ main (int argc,
+ g_test_add_func ("/gdbus/introspection-generate", test_generate);
+ g_test_add_func ("/gdbus/introspection-default-direction", test_default_direction);
+ g_test_add_func ("/gdbus/introspection-extra-data", test_extra_data);
++ g_test_add_func ("/gdbus/introspection/invalid", test_invalid);
+
+ ret = session_bus_run ();
+
+--
+2.54.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-2.patch
new file mode 100644
index 000000000000..a24e54016177
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-58016-2.patch
@@ -0,0 +1,96 @@
+From a75052ceeebea434f271b670766acd5416bc83b9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:08:10 +0100
+Subject: [PATCH 2/2] gdbusintrospection: Add some assertions before array
+ dereferences
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The state handling inside the D-Bus introspection XML parser is
+complicated, and it’s possible that these dereferences of the
+`len - 1`th element might get reached when the array is empty.
+
+Make failures like that more debuggable by adding an assertion on the
+length beforehand.
+
+Helps: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/656ad4582cb1d7a7fa8bafe3ce8aec6aa3c17da0]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index 6f722ee6153d..ed0d291f99f0 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1110,6 +1110,7 @@ parse_data_get_annotation (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->annotations, g_new0 (GDBusAnnotationInfo, 1));
++ g_assert (data->annotations->len > 0);
+ return data->annotations->pdata[data->annotations->len - 1];
+ }
+
+@@ -1119,6 +1120,7 @@ parse_data_get_arg (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->args, g_new0 (GDBusArgInfo, 1));
++ g_assert (data->args->len > 0);
+ return data->args->pdata[data->args->len - 1];
+ }
+
+@@ -1128,6 +1130,7 @@ parse_data_get_out_arg (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->out_args, g_new0 (GDBusArgInfo, 1));
++ g_assert (data->out_args->len > 0);
+ return data->out_args->pdata[data->out_args->len - 1];
+ }
+
+@@ -1137,6 +1140,7 @@ parse_data_get_method (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->methods, g_new0 (GDBusMethodInfo, 1));
++ g_assert (data->methods->len > 0);
+ return data->methods->pdata[data->methods->len - 1];
+ }
+
+@@ -1146,6 +1150,7 @@ parse_data_get_signal (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->signals, g_new0 (GDBusSignalInfo, 1));
++ g_assert (data->signals->len > 0);
+ return data->signals->pdata[data->signals->len - 1];
+ }
+
+@@ -1155,6 +1160,7 @@ parse_data_get_property (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->properties, g_new0 (GDBusPropertyInfo, 1));
++ g_assert (data->properties->len > 0);
+ return data->properties->pdata[data->properties->len - 1];
+ }
+
+@@ -1164,6 +1170,7 @@ parse_data_get_interface (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->interfaces, g_new0 (GDBusInterfaceInfo, 1));
++ g_assert (data->interfaces->len > 0);
+ return data->interfaces->pdata[data->interfaces->len - 1];
+ }
+
+@@ -1173,6 +1180,7 @@ parse_data_get_node (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->nodes, g_new0 (GDBusNodeInfo, 1));
++ g_assert (data->nodes->len > 0);
+ return data->nodes->pdata[data->nodes->len - 1];
+ }
+
+--
+2.54.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index b8212c9d12bd..549584f3d8fa 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -47,6 +47,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2026-1489-02.patch \
file://CVE-2026-1489-03.patch \
file://CVE-2026-1489-04.patch \
+ file://CVE-2026-58016-1.patch \
+ file://CVE-2026-58016-2.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
---
base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d
change-id: 20260703-glib-2-0-cve-2026-58016-63b769c22101
Best regards,
--
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
2026-07-03 13:25 [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016 Benjamin Robin (Schneider Electric)
@ 2026-07-03 13:33 ` Yoann Congal
2026-07-03 13:46 ` Benjamin Robin
0 siblings, 1 reply; 6+ messages in thread
From: Yoann Congal @ 2026-07-03 13:33 UTC (permalink / raw)
To: benjamin.robin, openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid
On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> A flaw was found in GLib. A state confusion issue exists in
> g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> processing malformed D-Bus introspection XML, specifically with a <node>
> element nested within other elements like <method>, <signal>, <property>
> or <arg>. This issue can cause an unsigned integer overflow and lead to an
> out-of-bounds read, resulting in a denial of service.
>
> Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> ---
> .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
> .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
> meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
a patch for wrynose so I can accept this on scarthgap?
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
2026-07-03 13:33 ` [OE-core] " Yoann Congal
@ 2026-07-03 13:46 ` Benjamin Robin
2026-07-03 13:53 ` Yoann Congal
0 siblings, 1 reply; 6+ messages in thread
From: Benjamin Robin @ 2026-07-03 13:46 UTC (permalink / raw)
To: openembedded-core, Yoann Congal
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid
Hello Yoann,
On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> > A flaw was found in GLib. A state confusion issue exists in
> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> > processing malformed D-Bus introspection XML, specifically with a <node>
> > element nested within other elements like <method>, <signal>, <property>
> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
> > out-of-bounds read, resulting in a denial of service.
> >
> > Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> > ---
> > .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
> > .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
> > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
>
> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
> a patch for wrynose so I can accept this on scarthgap?
The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.
I am sending a patch right now.
>
> Thanks!
>
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
2026-07-03 13:46 ` Benjamin Robin
@ 2026-07-03 13:53 ` Yoann Congal
2026-07-03 14:42 ` Benjamin Robin
0 siblings, 1 reply; 6+ messages in thread
From: Yoann Congal @ 2026-07-03 13:53 UTC (permalink / raw)
To: Benjamin Robin, openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid
On Fri Jul 3, 2026 at 3:46 PM CEST, Benjamin Robin wrote:
> Hello Yoann,
>
> On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
>> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
>> > A flaw was found in GLib. A state confusion issue exists in
>> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
>> > processing malformed D-Bus introspection XML, specifically with a <node>
>> > element nested within other elements like <method>, <signal>, <property>
>> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
>> > out-of-bounds read, resulting in a denial of service.
>> >
>> > Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
>> > ---
>> > .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
>> > .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
>> > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
>>
>> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
>> a patch for wrynose so I can accept this on scarthgap?
>
> The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.
Then,
* NVD is wrong(?). Can you send a modification request so we avoid false
negatives (those are the worst ones!)
* And, in that case, master is also impacted and need a fix.
Thanks!
> I am sending a patch right now.
>
>>
>> Thanks!
>>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
2026-07-03 13:53 ` Yoann Congal
@ 2026-07-03 14:42 ` Benjamin Robin
2026-07-03 15:05 ` Yoann Congal
0 siblings, 1 reply; 6+ messages in thread
From: Benjamin Robin @ 2026-07-03 14:42 UTC (permalink / raw)
To: openembedded-core, Yoann Congal
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid
On Friday, July 3, 2026 at 3:53 PM, Yoann Congal wrote:
> On Fri Jul 3, 2026 at 3:46 PM CEST, Benjamin Robin wrote:
> > Hello Yoann,
> >
> > On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
> >> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> >> > ---
> >> > .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
> >> > .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
> >> > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
> >>
> >> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
> >> a patch for wrynose so I can accept this on scarthgap?
> >
> > The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.
>
> Then,
> * NVD is wrong(?). Can you send a modification request so we avoid false
> negatives (those are the worst ones!)
Yes, this was in my (very) long TODO list.
The commit fixing this issue is [1] and it was never backported.
The version 2.88.2 does not have the fix.
I am going to to that now :)
> * And, in that case, master is also impacted and need a fix.
I have sent:
- A patch for master upgrading to 2.89.1
- A patch for wrynose with the patches applied on 2.88.0
[1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016
2026-07-03 14:42 ` Benjamin Robin
@ 2026-07-03 15:05 ` Yoann Congal
0 siblings, 0 replies; 6+ messages in thread
From: Yoann Congal @ 2026-07-03 15:05 UTC (permalink / raw)
To: Benjamin Robin, openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid
On Fri Jul 3, 2026 at 4:42 PM CEST, Benjamin Robin wrote:
> On Friday, July 3, 2026 at 3:53 PM, Yoann Congal wrote:
>> On Fri Jul 3, 2026 at 3:46 PM CEST, Benjamin Robin wrote:
>> > Hello Yoann,
>> >
>> > On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
>> >> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
>> >> > ---
>> >> > .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++
>> >> > .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 ++++++++++++++++++++++
>> >> > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
>> >>
>> >> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
>> >> a patch for wrynose so I can accept this on scarthgap?
>> >
>> > The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.
>>
>> Then,
>> * NVD is wrong(?). Can you send a modification request so we avoid false
>> negatives (those are the worst ones!)
>
> Yes, this was in my (very) long TODO list.
> The commit fixing this issue is [1] and it was never backported.
> The version 2.88.2 does not have the fix.
>
> I am going to to that now :)
>
>> * And, in that case, master is also impacted and need a fix.
>
> I have sent:
> - A patch for master upgrading to 2.89.1
> - A patch for wrynose with the patches applied on 2.88.0
>
> [1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2
Sounds good!
Thanks a lot :)
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-07-03 15:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03 13:25 [scarthgap][PATCH] glib-2.0: fix CVE-2026-58016 Benjamin Robin (Schneider Electric)
2026-07-03 13:33 ` [OE-core] " Yoann Congal
2026-07-03 13:46 ` Benjamin Robin
2026-07-03 13:53 ` Yoann Congal
2026-07-03 14:42 ` Benjamin Robin
2026-07-03 15:05 ` Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox