Fixes CVE-2026-1484, CVE-2026-1485 and CVE-2026-1489.
Release notes [1]:
Overview of changes in GLib 2.86.4, 2026-02-13
* Fix several security vulnerabilities of varying severity (see below
for details)
* Bugs fixed:
* #3858 (closed) glib-compile-resources: Incorrect compiler detection
on Windows when building GTK causes a DoS (L. E. Segovia)
* #3863 (closed) Iterating over a short (preallocated) GVariant
bytestring invalidly refs a NULL GBytes (Christian Hergert)
* #3870 (closed) (CVE-2026-1484) (YWH-PGM9867-168) Integer Overflow ->
Buffer Underflow on Glib through glib/gbase64.c via
g_base64_encode_close() leads to OOB Write (Marco Trevisan)
* #3871 (closed) (CVE-2026-1485) (#YWH-PGM9867-169) Buffer underflow
on Glib through gio/gcontenttype-fdo.c via parse_header() lead to
OOB Read/Write (Marco Trevisan)
* #3872 (closed) (CVE-2026-1489) (#YWH-PGM9867-171) Integer Overflow
on Glib through glib/guniprop.c via output_marks() lead to OOB Write
in glib/gutf8.c:g_unichar_to_utf8() (Marco Trevisan (Treviño))
* !4946 (merged) Update Romanian translation glib-2-86
* !4955 (merged) Backport !4954 (merged) “glib-compile-resources:
Always assume MSVC compiler if VCINSTALLDIR is set” to glib-2-86
* !4961 (merged) Backport !4960 (merged) “glib/gvariant: add failing
test for bytestring and fix it” to glib-2-86
* !4979 (merged) [glib-2-86] gbase64: Use gsize to prevent potential
overflow
* !4981 (merged) [glib-2-86] gio/gcontenttype-fdo: Do not overflow if
header is longer than MAXINT
* !4984 (merged) [glib-2-86] guniprop: Use size_t for output_marks
length
* !5010 (merged) Update Kazakh translation
* Translation updates:
* Kazakh (Baurzhan Muftakhidinov)
* Romanian (Antonio Marin)
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core.git / commit
