On Fri, 3 Jul 2026 at 16:34, Benjamin Robin via lists.openembedded.org <[email protected]> wrote: > > This upgrade fixes CVE-2026-58016 > > A flaw was found in GLib. A state confusion issue exists in > g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when > processing malformed D-Bus introspection XML, specifically with a <node> > element nested within other elements like <method>, <signal>, <property> > or <arg>. This issue can cause an unsigned integer overflow and lead to an > out-of-bounds read, resulting in a denial of service. > > The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1 > but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2. > > [1] > https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2 > .../glib-2.0/{glib-2.0-initial_2.88.1.bb => glib-2.0-initial_2.89.1.bb} | 0 > meta/recipes-core/glib-2.0/{glib-2.0_2.88.1.bb => glib-2.0_2.89.1.bb} | 0
2.89.1 is a pre-release, we cannot take it. You need to backport the patch, or get the upstream to release 2.88.3 with it. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240127): https://lists.openembedded.org/g/openembedded-core/message/240127 Mute This Topic: https://lists.openembedded.org/mt/120100511/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
