Hello Yoann,

On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote:
> On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org 
> wrote:
> > A flaw was found in GLib. A state confusion issue exists in
> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> > processing malformed D-Bus introspection XML, specifically with a <node>
> > element nested within other elements like <method>, <signal>, <property>
> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
> > out-of-bounds read, resulting in a denial of service.
> >
> > Signed-off-by: Benjamin Robin (Schneider Electric) 
> > <[email protected]>
> > ---
> >  .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch       | 92 
> > +++++++++++++++++++++
> >  .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch       | 96 
> > ++++++++++++++++++++++
> >  meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |  2 +
> 
> NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send
> a patch for wrynose so I can accept this on scarthgap?

The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0.

I am sending a patch right now.

> 
> Thanks!
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240110): 
https://lists.openembedded.org/g/openembedded-core/message/240110
Mute This Topic: https://lists.openembedded.org/mt/120099359/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to