On Friday, July 3, 2026 at 11:48 PM, Alexander Kanavin wrote:
> On Fri, 3 Jul 2026 at 16:34, Benjamin Robin via lists.openembedded.org
> <[email protected]> wrote:
> >
> > This upgrade fixes CVE-2026-58016
> >
> > A flaw was found in GLib. A state confusion issue exists in
> > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> > processing malformed D-Bus introspection XML, specifically with a <node>
> > element nested within other elements like <method>, <signal>, <property>
> > or <arg>. This issue can cause an unsigned integer overflow and lead to an
> > out-of-bounds read, resulting in a denial of service.
> >
> > The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1
> > but the fix was realized in 2.89.0, see [1]. The fix is not present in 
> > 2.88.2.
> >
> > [1] 
> > https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2
> >  .../glib-2.0/{glib-2.0-initial_2.88.1.bb => glib-2.0-initial_2.89.1.bb} | 0
> >  meta/recipes-core/glib-2.0/{glib-2.0_2.88.1.bb => glib-2.0_2.89.1.bb}   | 0
> 
> 2.89.1 is a pre-release, we cannot take it. You need to backport the
> patch, or get the upstream to release 2.88.3 with it.

Indeed, I did not know that. SECURITY.md contains the following:
| Under GLib’s versioning scheme, stable release series have an even minor
| component (for example, 2.66.0, 2.66.1, 2.68.3), and development release 
series
| have an odd minor component (2.67.1, 2.69.0).

So I sent a v2 that backport the patch.

Thanks,
-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240147): 
https://lists.openembedded.org/g/openembedded-core/message/240147
Mute This Topic: https://lists.openembedded.org/mt/120100511/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to