From: Ross Burton Date: Thu, 16 Apr 2026 10:30:57 +0000 (+0100) Subject: glib-networking: backport fix for CVE-2026-2574 X-Git-Tag: yocto-6.0~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4967ddba566d221e2c8c65ae13b8bad2fda19397;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git glib-networking: backport fix for CVE-2026-2574 CVE-2026-2574: Affected versions of this package are vulnerable to Out-of-bounds Read via improper handling of certificate authority data in the OpenSSL backend. An attacker can cause application crashes and potentially disclose limited heap memory by enticing a client to connect to a malicious TLS server that advertises a specially crafted client-CA list. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch new file mode 100644 index 0000000000..d3673656ad --- /dev/null +++ b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch @@ -0,0 +1,48 @@ +From be2173eb9b769255df9474a9128e642b60894f10 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 12 Mar 2026 12:47:00 -0500 +Subject: [PATCH] openssl: fix out of bounds read in accepted-cas property + getter + +The d2i and i2d functions are quite dangerous because they advance the +provided pointer, so we have to pass a temporary pointer if we're later +going to do anything with the original pointer. + +I've audited the codebase and found this is our only such mistake. + +Fixes #228 (CVE-2026-2574) + +Part-of: + + +(cherry picked from commit c3c84b269165f2a312d47fa15c5cbc7f8ead7631) + +Co-authored-by: Michael Catanzaro + +CVE: CVE-2026-2574 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + tls/openssl/gtlsclientconnection-openssl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c +index e98fb0b..e2ff0d4 100644 +--- a/tls/openssl/gtlsclientconnection-openssl.c ++++ b/tls/openssl/gtlsclientconnection-openssl.c +@@ -141,9 +141,11 @@ g_tls_client_connection_openssl_get_property (GObject *object, + if (size > 0) + { + unsigned char *ca; ++ unsigned char *tmp; + + ca = g_malloc (size); +- size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca); ++ tmp = ca; ++ size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &tmp); + if (size > 0) + accepted_cas = g_list_prepend (accepted_cas, g_byte_array_new_take ( + ca, size)); +-- +2.43.0 + diff --git a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb index 44e3b0c0b3..3d47e354e2 100644 --- a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb +++ b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb @@ -32,6 +32,7 @@ inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome SRC_URI += "file://0001-openssl-properly-check-return-value-when-writing-to-.patch \ file://0002-openssl-check-return-value-of-g_tls_bio_alloc.patch \ file://0003-openssl-check-return-values-of-BIO_new.patch \ + file://0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch \ file://run-ptest" FILES:${PN} += "\