From: Peter Marko Date: Sun, 24 Aug 2025 19:07:24 +0000 (+0200) Subject: glib-2.0: patch CVE-2025-7039 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=79355004da104587b2fb40dcb76053431c6a6182;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git glib-2.0: patch CVE-2025-7039 Pick commit per [1]. Also pick commit which changed the same code before to apply it cleanly. [1] https://security-tracker.debian.org/tracker/CVE-2025-7039 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch new file mode 100644 index 0000000000..cb096fca42 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch @@ -0,0 +1,40 @@ +From 285db475ecaa4d2cc39ce326b4c63aacb87ca6ad Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Tue, 22 Aug 2023 19:57:48 +0200 +Subject: [PATCH] glib/gfileutils.c: use 64 bits for value in get_tmp_file() + +On 32 bit systems 'long' value will overflow in 2038 and become negative. +As it is used to index into letters array, and % operation preserves signs, +data corruption will then occur. + +Signed-off-by: Alexander Kanavin + +CVE: CVE-2025-7039 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/285db475ecaa4d2cc39ce326b4c63aacb87ca6ad] +Signed-off-by: Peter Marko +--- + glib/gfileutils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/glib/gfileutils.c b/glib/gfileutils.c +index 9646c696e..bd3cc179a 100644 +--- a/glib/gfileutils.c ++++ b/glib/gfileutils.c +@@ -1475,7 +1475,7 @@ get_tmp_file (gchar *tmpl, + static const char letters[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + static const int NLETTERS = sizeof (letters) - 1; +- glong value; ++ gint64 value; + gint64 now_us; + static int counter = 0; + +@@ -1496,7 +1496,7 @@ get_tmp_file (gchar *tmpl, + + for (count = 0; count < 100; value += 7777, ++count) + { +- glong v = value; ++ gint64 v = value; + + /* Fill in the random bits. */ + XXXXXX[0] = letters[v % NLETTERS]; diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch new file mode 100644 index 0000000000..37e32fefc3 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch @@ -0,0 +1,43 @@ +From 61e963284889ddb4544e6f1d5261c16120f6fcc3 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Tue, 1 Jul 2025 10:58:07 -0500 +Subject: [PATCH] gfileutils: fix computation of temporary file name + +We need to ensure that the value we use to index into the letters array +is always positive. + +Fixes #3716 + +CVE: CVE-2025-7039 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/61e963284889ddb4544e6f1d5261c16120f6fcc3] +Signed-off-by: Peter Marko +--- + glib/gfileutils.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/glib/gfileutils.c b/glib/gfileutils.c +index c7d3339d1..286b1b154 100644 +--- a/glib/gfileutils.c ++++ b/glib/gfileutils.c +@@ -1475,9 +1475,9 @@ get_tmp_file (gchar *tmpl, + static const char letters[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + static const int NLETTERS = sizeof (letters) - 1; +- gint64 value; +- gint64 now_us; +- static int counter = 0; ++ guint64 value; ++ guint64 now_us; ++ static guint counter = 0; + + g_return_val_if_fail (tmpl != NULL, -1); + +@@ -1496,7 +1496,7 @@ get_tmp_file (gchar *tmpl, + + for (count = 0; count < 100; value += 7777, ++count) + { +- gint64 v = value; ++ guint64 v = value; + + /* Fill in the random bits. */ + XXXXXX[0] = letters[v % NLETTERS]; diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index 31b6c1fe98..7ba52b5c79 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb @@ -62,6 +62,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2025-3360-06.patch \ file://CVE-2025-4373-01.patch \ file://CVE-2025-4373-02.patch \ + file://CVE-2025-7039-01.patch \ + file://CVE-2025-7039-02.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch"