Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package glib-networking for openSUSE:Factory
checked in at 2026-06-12 19:25:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/glib-networking (Old)
and /work/SRC/openSUSE:Factory/.glib-networking.new.1981 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glib-networking"
Fri Jun 12 19:25:25 2026 rev:89 rq:1358738 version:2.80.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/glib-networking/glib-networking.changes
2026-03-27 16:48:46.789598879 +0100
+++
/work/SRC/openSUSE:Factory/.glib-networking.new.1981/glib-networking.changes
2026-06-12 19:25:45.393746591 +0200
@@ -1,0 +2,7 @@
+Wed Jun 10 01:21:39 UTC 2026 - Xiaoguang Wang <[email protected]>
+
+- Add CVE-2026-10028.patch:
+ tls: detect cycles when setting issuer property
+ (CVE-2026-10028, bsc#1267979, glgo#GNOME/glib-networking!279)
+
+-------------------------------------------------------------------
New:
----
CVE-2026-10028.patch
----------(New B)----------
New:
- Add CVE-2026-10028.patch:
tls: detect cycles when setting issuer property
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ glib-networking.spec ++++++
--- /var/tmp/diff_new_pack.UIcB6R/_old 2026-06-12 19:25:46.149778281 +0200
+++ /var/tmp/diff_new_pack.UIcB6R/_new 2026-06-12 19:25:46.153778447 +0200
@@ -27,6 +27,9 @@
Source0: %{name}-%{version}.tar.xz
Source99: baselibs.conf
+# PATCH-FIX-UPSTREAM CVE-2026-10028.patch bsc#1267979 [email protected] -- tls:
detect cycles when setting issuer property
+Patch0: CVE-2026-10028.patch
+
BuildRequires: ca-certificates-mozilla
# For directory ownership
BuildRequires: dbus-1
++++++ CVE-2026-10028.patch ++++++
>From d254cea168a7a2c5b594ceb11fea565201d6895f Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <[email protected]>
Date: Fri, 29 May 2026 19:20:02 -0500
Subject: [PATCH] tls: detect cycles when setting issuer property
A malicious peer can cause certificate verification to infinite loop
by sending two certificates which are each signed by the other. I
introduced this bug in my very first commit to glib-networking,
0e08f17396287d00a69bbbcbec3b364b98cbcace. Oops.
This commit does not change glib-networking to be robust against
GTlsCertificate issuer cycles. If your application creates a cycle, it
will still infinite loop. That could be fixed by adding a depth limit in
GTlsDatabaseGnutls/GTlsDatabaseOpenssl, but I don't see any particularly
strong need to do so, and arbitrary limits are somewhat sad. But now
glib-networking will no longer itself create infinite issuer loops. I
doubt any applications attempt to set issuers on their own, and if so,
it's their fault if they mess up!
The changes to create-files.sh are based on work by Mohamed Sayed or an
AI agent working on his behalf. I took them from his GNOME bug bounty
program report. The new function g_tls_issuer_would_create_cycle() is
also (very) loosely based on one of his proposed fixes.
This commit is large mostly because it adds new test certificates, so I
regenerated them all. This used to be routine, but it seems it's been 5
years!
Fixes #231
diff --git a/tls/base/gtlsutils.c b/tls/base/gtlsutils.c
new file mode 100644
index 00000000..3422715c
--- /dev/null
+++ b/tls/base/gtlsutils.c
@@ -0,0 +1,42 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright Red Hat
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ */
+
+#include "config.h"
+#include "gtlsutils.h"
+
+gboolean
+g_tls_issuer_would_create_cycle (GTlsCertificate *certificate,
+ GTlsCertificate *issuer)
+{
+ GTlsCertificate *c = issuer;
+
+ do
+ {
+ if (c == certificate)
+ return TRUE;
+ c = g_tls_certificate_get_issuer (c);
+ } while (c);
+
+ return FALSE;
+}
diff --git a/tls/base/gtlsutils.h b/tls/base/gtlsutils.h
new file mode 100644
index 00000000..50d34a42
--- /dev/null
+++ b/tls/base/gtlsutils.h
@@ -0,0 +1,33 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright Red Hat
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ */
+
+#include <gio/gio.h>
+
+#pragma once
+
+G_BEGIN_DECLS
+
+gboolean g_tls_issuer_would_create_cycle (GTlsCertificate *certificate,
GTlsCertificate *issuer);
+
+G_END_DECLS
diff --git a/tls/base/meson.build b/tls/base/meson.build
index f6bddd8e..0847af2c 100644
--- a/tls/base/meson.build
+++ b/tls/base/meson.build
@@ -4,6 +4,7 @@ tlsbase_sources = files(
'gtlslog.c',
'gtlsoutputstream.c',
'gtlssessioncache.c',
+ 'gtlsutils.c'
)
tlsbase = static_library('tlsbase',
diff --git a/tls/gnutls/gtlscertificate-gnutls.c
b/tls/gnutls/gtlscertificate-gnutls.c
index 682c17b9..8c10134f 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -32,6 +32,8 @@
#include "gtlscertificate-gnutls.h"
#include <glib/gi18n-lib.h>
+#include "gtlsutils.h"
+
enum
{
PROP_0,
@@ -1105,7 +1107,7 @@ g_tls_certificate_gnutls_build_chain (const
gnutls_datum_t *certs,
}
}
- if (issuer)
+ if (issuer && !g_tls_issuer_would_create_cycle (glib_certs->pdata[i],
G_TLS_CERTIFICATE (issuer)))
g_tls_certificate_gnutls_set_issuer (glib_certs->pdata[i], issuer);
}
diff --git a/tls/openssl/gtlscertificate-openssl.c
b/tls/openssl/gtlscertificate-openssl.c
index d8e9d186..4a52ac08 100644
--- a/tls/openssl/gtlscertificate-openssl.c
+++ b/tls/openssl/gtlscertificate-openssl.c
@@ -32,6 +32,8 @@
#include "gtlscertificate-openssl.h"
#include <glib/gi18n-lib.h>
+#include "gtlsutils.h"
+
struct _GTlsCertificateOpenssl
{
GTlsCertificate parent_instance;
@@ -1022,7 +1024,7 @@ g_tls_certificate_openssl_build_chain (X509 *x,
}
}
- if (issuer)
+ if (issuer && !g_tls_issuer_would_create_cycle (glib_certs->pdata[i],
G_TLS_CERTIFICATE (issuer)))
g_tls_certificate_openssl_set_issuer (glib_certs->pdata[i], issuer);
}
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.UIcB6R/_old 2026-06-12 19:25:46.197780292 +0200
+++ /var/tmp/diff_new_pack.UIcB6R/_new 2026-06-12 19:25:46.213780962 +0200
@@ -1,6 +1,6 @@
-mtime: 1774254786
-commit: 210ecd374e908feb3dd7f55089a12e79d4457400a6f8cf29ba581eb1a23bbc49
+mtime: 1781056549
+commit: 226772da6af83e2c70bd988a4f511f3def4e3483053dccee8104d2ffd42fa415
url: https://src.opensuse.org/GNOME/glib-networking
-revision: 210ecd374e908feb3dd7f55089a12e79d4457400a6f8cf29ba581eb1a23bbc49
+revision: 226772da6af83e2c70bd988a4f511f3def4e3483053dccee8104d2ffd42fa415
projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-06-10 03:55:49.000000000 +0200
@@ -0,0 +1,5 @@
+*.obscpio
+*.osc
+_build.*
+.pbuild
+osc-collab.*
