This upgrade fixes CVE-2026-58016 A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service.
The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1 but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2 Signed-off-by: Benjamin Robin (Schneider Electric) <[email protected]> --- .../glib-2.0/{glib-2.0-initial_2.88.1.bb => glib-2.0-initial_2.89.1.bb} | 0 meta/recipes-core/glib-2.0/{glib-2.0_2.88.1.bb => glib-2.0_2.89.1.bb} | 0 meta/recipes-core/glib-2.0/glib.inc | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glib-2.0/glib-2.0-initial_2.88.1.bb b/meta/recipes-core/glib-2.0/glib-2.0-initial_2.89.1.bb similarity index 100% rename from meta/recipes-core/glib-2.0/glib-2.0-initial_2.88.1.bb rename to meta/recipes-core/glib-2.0/glib-2.0-initial_2.89.1.bb diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.88.1.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.89.1.bb similarity index 100% rename from meta/recipes-core/glib-2.0/glib-2.0_2.88.1.bb rename to meta/recipes-core/glib-2.0/glib-2.0_2.89.1.bb diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 8d23092187bf..be037046d525 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -238,7 +238,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ " -SRC_URI[archive.sha256sum] = "51ab804c56f6eab3e5045c774d1290ac5e4c923d4f9a3d8e33123bee45c1840e" +SRC_URI[archive.sha256sum] = "74447129c31afe141810f995626e8b99ab677413dae76ee3cf5a9cc6e75a486e" # Find any meson cross files in FILESPATH that are relevant for the current # build (using siteinfo) and add them to EXTRA_OEMESON. --- base-commit: 0776ddc4508387f3c1a13f7a1b6e2a6119aea4b2 change-id: 20260703-glib-2-0-cve-2026-58016-master-78b10a0f1823 Best regards, -- Benjamin Robin (Schneider Electric) <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240114): https://lists.openembedded.org/g/openembedded-core/message/240114 Mute This Topic: https://lists.openembedded.org/mt/120100511/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
