packages/glib2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-4056

Browse Source
This commit is contained in:
hanhuihui 2025-05-07 03:10:03 +00:00
parent 2e0da780c9
commit baec064c45
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
backport-CVE-2025-4056.patch Normal file
View File

@ -0,0 +1,49 @@
From 3d9cc103308bc50938b65acb9814850208133112 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Sun, 30 Mar 2025 21:49:05 +0100
Subject: [PATCH] gspawn-win32: Fix potential integer overflows in argv
handling
This can happen if a user passes a ludicrously long string to argv.
Spotted by chamalsl as #YWH-PGM9867-48.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
---
glib/gspawn-win32-helper.c | 4 ++--
glib/gspawn-win32.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/glib/gspawn-win32-helper.c b/glib/gspawn-win32-helper.c
index 35b25905cb..0dc56c0eec 100644
--- a/glib/gspawn-win32-helper.c
+++ b/glib/gspawn-win32-helper.c
@@ -80,8 +80,8 @@ protect_wargv (gint argc,
{
wchar_t *p = wargv[i];
wchar_t *q;
- gint len = 0;
- gint pre_bslash = 0;
+ size_t len = 0;
+ size_t pre_bslash = 0;
gboolean need_dblquotes = FALSE;
while (*p)
{
diff --git a/glib/gspawn-win32.c b/glib/gspawn-win32.c
index 96b8bafee6..3a9a308680 100644
--- a/glib/gspawn-win32.c
+++ b/glib/gspawn-win32.c
@@ -253,8 +253,8 @@ protect_argv_string (const gchar *string)
{
const gchar *p = string;
gchar *retval, *q;
- gint len = 0;
- gint pre_bslash = 0;
+ size_t len = 0;
+ size_t pre_bslash = 0;
gboolean need_dblquotes = FALSE;
while (*p)
{
--
GitLab

6
glib2.spec
View File

@ -1,6 +1,6 @@
Name: glib2
Version: 2.66.8
Release: 17
Release: 18
Summary: The core library that forms the basis for projects such as GTK+ and GNOME
License: LGPLv2+
URL: http://www.gtk.org
@ -76,6 +76,7 @@ patch6064: backport-CVE-2024-34397.patch
patch6065: backport-gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a-well-known-name.patch
Patch6066: Correct-translation-information.patch
Patch6067: backport-CVE-2024-52533.patch
patch6068: backport-CVE-2025-4056.patch
BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter
%ifnarch i686
@ -248,6 +249,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%endif
%changelog
* Wed May 7 2025 hanhuihui <hanhuihui5@huawei.com> - 2.66.8-18
- fix CVE-2025-4056
* Tue Nov 12 2024 liningjie <liningjie@xfusion.com> - 2.66.8-17
- Fix CVE-2024-52533