On Fri Jul 3, 2026 at 4:36 PM CEST, Benjamin Robin via lists.openembedded.org 
wrote:
> A flaw was found in GLib. A state confusion issue exists in
> g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
> processing malformed D-Bus introspection XML, specifically with a <node>
> element nested within other elements like <method>, <signal>, <property>
> or <arg>. This issue can cause an unsigned integer overflow and lead to an
> out-of-bounds read, resulting in a denial of service.
>
> The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1
> but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2.
>
> [1] 
> https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2
>
> Signed-off-by: Benjamin Robin (Schneider Electric) 
> <[email protected]>
> ---
>  .../glib-2.0/files/CVE-2026-58016-1.patch          | 92 +++++++++++++++++++++
>  .../glib-2.0/files/CVE-2026-58016-2.patch          | 96 
> ++++++++++++++++++++++
>  meta/recipes-core/glib-2.0/glib.inc                |  2 +
>  3 files changed, 190 insertions(+)
>
> diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch 
> b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch
> new file mode 100644
> index 000000000000..ee6321361455
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch
> @@ -0,0 +1,92 @@
> +From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001
> +From: Philip Withnall <[email protected]>
> +Date: Thu, 16 Apr 2026 15:27:37 +0100
> +Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for
> + <node> element nesting
> +
> +The check for whether a `<node>` element in D-Bus introspection XML was
> +nested correctly was broken. `<node>` elements can only be at the top
> +level, or nested immediately within another `<node>` element.
> +
> +Fix the check and add some unit tests for it.
> +
> +Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test
> +uses example XML strings adapted from their report.
> +
> +Fixes: #3932
> +
> +CVE: CVE-2026-58016
> +Upstream-Status: Backport 
> [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2]
> +
> +Signed-off-by: Benjamin Robin <[email protected]>

Hello,

Upstream patch had a "Signed-off-by:" that I readded on my branch.
Can you send a patch to master to re-add it there too?

Thanks!
-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240594): 
https://lists.openembedded.org/g/openembedded-core/message/240594
Mute This Topic: https://lists.openembedded.org/mt/120100553/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to