From 97bd9c1324a6bddc484e27307c4f7182a2d01b83 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Wed, 18 Feb 2026 23:53:25 +0100 Subject: [PATCH] glib-2.0: upgrade 2.86.3 -> 2.86.4 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Fixes CVE-2026-1484, CVE-2026-1485 and CVE-2026-1489. Release notes [1]: Overview of changes in GLib 2.86.4, 2026-02-13 * Fix several security vulnerabilities of varying severity (see below for details) * Bugs fixed: * #3858 (closed) glib-compile-resources: Incorrect compiler detection on Windows when building GTK causes a DoS (L. E. Segovia) * #3863 (closed) Iterating over a short (preallocated) GVariant bytestring invalidly refs a NULL GBytes (Christian Hergert) * #3870 (closed) (CVE-2026-1484) (YWH-PGM9867-168) Integer Overflow -> Buffer Underflow on Glib through glib/gbase64.c via g_base64_encode_close() leads to OOB Write (Marco Trevisan) * #3871 (closed) (CVE-2026-1485) (#YWH-PGM9867-169) Buffer underflow on Glib through gio/gcontenttype-fdo.c via parse_header() lead to OOB Read/Write (Marco Trevisan) * #3872 (closed) (CVE-2026-1489) (#YWH-PGM9867-171) Integer Overflow on Glib through glib/guniprop.c via output_marks() lead to OOB Write in glib/gutf8.c:g_unichar_to_utf8() (Marco Trevisan (Treviño)) * !4946 (merged) Update Romanian translation glib-2-86 * !4955 (merged) Backport !4954 (merged) “glib-compile-resources: Always assume MSVC compiler if VCINSTALLDIR is set” to glib-2-86 * !4961 (merged) Backport !4960 (merged) “glib/gvariant: add failing test for bytestring and fix it” to glib-2-86 * !4979 (merged) [glib-2-86] gbase64: Use gsize to prevent potential overflow * !4981 (merged) [glib-2-86] gio/gcontenttype-fdo: Do not overflow if header is longer than MAXINT * !4984 (merged) [glib-2-86] guniprop: Use size_t for output_marks length * !5010 (merged) Update Kazakh translation * Translation updates: * Kazakh (Baurzhan Muftakhidinov) * Romanian (Antonio Marin) [1] https://gitlab.gnome.org/GNOME/glib/-/releases/2.86.4 Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- .../{glib-2.0-initial_2.86.3.bb => glib-2.0-initial_2.86.4.bb} | 0 .../glib-2.0/{glib-2.0_2.86.3.bb => glib-2.0_2.86.4.bb} | 0 meta/recipes-core/glib-2.0/glib.inc | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/glib-2.0/{glib-2.0-initial_2.86.3.bb => glib-2.0-initial_2.86.4.bb} (100%) rename meta/recipes-core/glib-2.0/{glib-2.0_2.86.3.bb => glib-2.0_2.86.4.bb} (100%) diff --git a/meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.3.bb b/meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.4.bb similarity index 100% rename from meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.3.bb rename to meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.4.bb diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.86.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.86.4.bb similarity index 100% rename from meta/recipes-core/glib-2.0/glib-2.0_2.86.3.bb rename to meta/recipes-core/glib-2.0/glib-2.0_2.86.4.bb diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 2e15cc7675b..d1f25ef8f21 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -237,7 +237,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ " -SRC_URI[archive.sha256sum] = "b3211d8d34b9df5dca05787ef0ad5d7ca75dec998b970e1aab0001d229977c65" +SRC_URI[archive.sha256sum] = "d4e2b5d791d5015ffd8c6971ad8e975a0a55c1a14926cdb25cf843ff00682260" # Find any meson cross files in FILESPATH that are relevant for the current # build (using siteinfo) and add them to EXTRA_OEMESON. -- 2.47.3