Hello Yoann, On Friday, July 3, 2026 at 3:33 PM, Yoann Congal wrote: > On Fri Jul 3, 2026 at 3:25 PM CEST, Benjamin Robin via lists.openembedded.org > wrote: > > A flaw was found in GLib. A state confusion issue exists in > > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when > > processing malformed D-Bus introspection XML, specifically with a <node> > > element nested within other elements like <method>, <signal>, <property> > > or <arg>. This issue can cause an unsigned integer overflow and lead to an > > out-of-bounds read, resulting in a denial of service. > > > > Signed-off-by: Benjamin Robin (Schneider Electric) > > <[email protected]> > > --- > > .../glib-2.0/glib-2.0/CVE-2026-58016-1.patch | 92 > > +++++++++++++++++++++ > > .../glib-2.0/glib-2.0/CVE-2026-58016-2.patch | 96 > > ++++++++++++++++++++++ > > meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 + > > NVD tells this is fixed in 2.88.1 but wrynose is at 2.88.0. Can you send > a patch for wrynose so I can accept this on scarthgap?
The fun thing, that this is not fixed in version 2.88.1 but in 2.89.0. I am sending a patch right now. > > Thanks! > -- Benjamin Robin, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240110): https://lists.openembedded.org/g/openembedded-core/message/240110 Mute This Topic: https://lists.openembedded.org/mt/120099359/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
