On Fri Jul 3, 2026 at 4:36 PM CEST, Benjamin Robin via lists.openembedded.org wrote: > A flaw was found in GLib. A state confusion issue exists in > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when > processing malformed D-Bus introspection XML, specifically with a <node> > element nested within other elements like <method>, <signal>, <property> > or <arg>. This issue can cause an unsigned integer overflow and lead to an > out-of-bounds read, resulting in a denial of service. > > The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1 > but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2. > > [1] > https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2 > > Signed-off-by: Benjamin Robin (Schneider Electric) > <[email protected]> > --- > .../glib-2.0/files/CVE-2026-58016-1.patch | 92 +++++++++++++++++++++ > .../glib-2.0/files/CVE-2026-58016-2.patch | 96 > ++++++++++++++++++++++ > meta/recipes-core/glib-2.0/glib.inc | 2 + > 3 files changed, 190 insertions(+) > > diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch > b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch > new file mode 100644 > index 000000000000..ee6321361455 > --- /dev/null > +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch > @@ -0,0 +1,92 @@ > +From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001 > +From: Philip Withnall <[email protected]> > +Date: Thu, 16 Apr 2026 15:27:37 +0100 > +Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for > + <node> element nesting > + > +The check for whether a `<node>` element in D-Bus introspection XML was > +nested correctly was broken. `<node>` elements can only be at the top > +level, or nested immediately within another `<node>` element. > + > +Fix the check and add some unit tests for it. > + > +Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test > +uses example XML strings adapted from their report. > + > +Fixes: #3932 > + > +CVE: CVE-2026-58016 > +Upstream-Status: Backport > [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2] > + > +Signed-off-by: Benjamin Robin <[email protected]>
Hello, Upstream patch had a "Signed-off-by:" that I readded on my branch. Can you send a patch to master to re-add it there too? Thanks! -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240594): https://lists.openembedded.org/g/openembedded-core/message/240594 Mute This Topic: https://lists.openembedded.org/mt/120100553/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
