From 71ce6a2430a684c6bb197ff9a935a36cf5111eb7 Mon Sep 17 00:00:00 2001 From: Kou Wenqi Date: Fri, 27 Jun 2025 16:37:35 +0800 Subject: [PATCH] fix CVE-2025-6052 (cherry picked from commit 5b5dada3f488441bb119a5f8e84c90c1b766ff6e) --- backport-CVE-2025-6052.patch | 68 ++++++++++++++++++++++++++++++++++++ glib2.spec | 6 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-6052.patch diff --git a/backport-CVE-2025-6052.patch b/backport-CVE-2025-6052.patch new file mode 100644 index 0000000..acd9989 --- /dev/null +++ b/backport-CVE-2025-6052.patch @@ -0,0 +1,68 @@ +From 987309f23ada52592bffdb5db0d8a5d58bd8097b Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 3 Jun 2025 11:31:04 +0100 +Subject: [PATCH] gstring: Fix overflow check when expanding the string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +After commit 34b7992fd6e3894bf6d2229b8aa59cac34bcb1b5 the overflow check +was only done when expanding the string, but we need to do it before +checking whether to expand the string, otherwise that calculation could +overflow and falsely decide that the string is big enough already. + +As a concrete example, consider a `GString` which has: + * `.len = G_MAXSIZE / 2 + 1` + * `.allocated_len = G_MAXSIZE / 2 + 1` +and `g_string_append()` is called on it with an input string of length +`G_MAXSIZE / 2`. + +This results in a call `g_string_maybe_expand (string, G_MAXSIZE / 2)`, +which calculates `string->len + len` as `(G_MAXSIZE / 2 + 1) + +(G_MAXSIZE / 2)` which evaluates to `1` as it overflows. This is not +greater than `string->allocated_len` (which is `G_MAXSIZE / 2 + 1`), so +`g_string_expand()` is *not* called, and `g_string_maybe_expand()` +returns successfully. The caller then assumes that there’s enough space +in the buffer, and happily continues to cause a buffer overflow. + +It’s unlikely anyone could hit this in practice because it requires +ludicrously big strings and `GString` allocations, which likely would +have been blocked by other code, but if we’re going to have the overflow +checks in `GString` then they should be effective. + +Spotted by code inspection. + +Signed-off-by: Philip Withnall +--- + glib/gstring.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index 2a399ee21f..8a489ca0dd 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -68,10 +68,6 @@ static void + g_string_expand (GString *string, + gsize len) + { +- /* Detect potential overflow */ +- if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len) +- g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len); +- + string->allocated_len = g_nearest_pow (string->len + len + 1); + /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough + * memory for this string and don't over-allocate. +@@ -86,6 +82,10 @@ static inline void + g_string_maybe_expand (GString *string, + gsize len) + { ++ /* Detect potential overflow */ ++ if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len) ++ g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len); ++ + if (G_UNLIKELY (string->len + len >= string->allocated_len)) + g_string_expand (string, len); + } +-- +GitLab + diff --git a/glib2.spec b/glib2.spec index 1de6403..3ba97b6 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.78.3 -Release: 8 +Release: 9 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: https://www.gtk.org @@ -22,6 +22,7 @@ Patch6008: backport-CVE-2024-52533.patch Patch6009: backport-CVE-2025-4056.patch Patch6010: backport-CVE-2025-3360.patch Patch6011: backport-CVE-2025-4373.patch +Patch6012: backport-CVE-2025-6052.patch BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter BUildRequires: glibc-devel libattr-devel libselinux-devel meson @@ -206,6 +207,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %endif %changelog +* Fri Jun 27 2025 kouwenqi - 2.78.3-9 +- fix CVE-2025-6052 + * Sat May 10 2025 Funda Wang - 2.78.3-8 - fix CVE-2025-3360, CVE-2025-4373 - fix symlink of COYPING -- Gitee