From 98b5def6dcd2a1d2257a2c8cb212e7f8be16765a Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Sat, 9 Aug 2025 02:48:27 +0800
Subject: [PATCH] fix CVE-2025-7039

---
 backport-CVE-2025-7039.patch | 42 ++++++++++++++++++++++++++++++++++++
 glib2.spec                   |  6 +++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-7039.patch

diff --git a/backport-CVE-2025-7039.patch b/backport-CVE-2025-7039.patch
new file mode 100644
index 0000000..d34ea8f
--- /dev/null
+++ b/backport-CVE-2025-7039.patch
@@ -0,0 +1,42 @@
+From 8f4da99bf2f112b8e4329d8c44b6ab5dea467cb1 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Tue, 1 Jul 2025 10:58:07 -0500
+Subject: [PATCH] gfileutils: fix computation of temporary file name
+
+We need to ensure that the value we use to index into the letters array
+is always positive.
+
+Fixes #3716
+---
+ glib/gfileutils.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gfileutils.c b/glib/gfileutils.c
+index bc4bcf1f4d..9930030d25 100644
+--- a/glib/gfileutils.c
++++ b/glib/gfileutils.c
+@@ -1517,9 +1517,9 @@ get_tmp_file (gchar            *tmpl,
+   static const char letters[] =
+     "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+   static const int NLETTERS = sizeof (letters) - 1;
+-  gint64 value;
+-  gint64 now_us;
+-  static int counter = 0;
++  guint64 value;
++  guint64 now_us;
++  static guint counter = 0;
+ 
+   g_return_val_if_fail (tmpl != NULL, -1);
+ 
+@@ -1538,7 +1538,7 @@ get_tmp_file (gchar            *tmpl,
+ 
+   for (count = 0; count < 100; value += 7777, ++count)
+     {
+-      gint64 v = value;
++      guint64 v = value;
+ 
+       /* Fill in the random bits.  */
+       XXXXXX[0] = letters[v % NLETTERS];
+-- 
+GitLab
+
diff --git a/glib2.spec b/glib2.spec
index 3ba97b6..bcba6f3 100644
--- a/glib2.spec
+++ b/glib2.spec
@@ -1,6 +1,6 @@
 Name:           glib2
 Version:        2.78.3
-Release:        9
+Release:        10
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            https://www.gtk.org
@@ -23,6 +23,7 @@ Patch6009:  backport-CVE-2025-4056.patch
 Patch6010:  backport-CVE-2025-3360.patch
 Patch6011:  backport-CVE-2025-4373.patch
 Patch6012:  backport-CVE-2025-6052.patch
+Patch6013:  backport-CVE-2025-7039.patch
 
 BuildRequires:  chrpath gcc gcc-c++ gettext perl-interpreter
 BUildRequires:  glibc-devel libattr-devel libselinux-devel meson
@@ -207,6 +208,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %endif
 
 %changelog
+* Sat Aug 09 2025 Funda Wang <fundawang@yeah.net> - 2.78.3-10
+- fix CVE-2025-7039
+
 * Fri Jun 27 2025 kouwenqi <kouwenqi@kylinos.cn> - 2.78.3-9
 - fix CVE-2025-6052
 
-- 
Gitee