From dc6cbbc94cc2338cb8d7c7e1c362e62af2eaa3ae Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Sat, 9 Aug 2025 03:03:25 +0800
Subject: [PATCH] fix CVE-2025-7039

---
 backport-CVE-2025-7039.patch | 42 ++++++++++++++++++++++++++++++++++++
 glib2.spec                   |  6 +++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-7039.patch

diff --git a/backport-CVE-2025-7039.patch b/backport-CVE-2025-7039.patch
new file mode 100644
index 0000000..0a1ba5e
--- /dev/null
+++ b/backport-CVE-2025-7039.patch
@@ -0,0 +1,42 @@
+From 8f4da99bf2f112b8e4329d8c44b6ab5dea467cb1 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Tue, 1 Jul 2025 10:58:07 -0500
+Subject: [PATCH] gfileutils: fix computation of temporary file name
+
+We need to ensure that the value we use to index into the letters array
+is always positive.
+
+Fixes #3716
+---
+ glib/gfileutils.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gfileutils.c b/glib/gfileutils.c
+index bc4bcf1f4d..9930030d25 100644
+--- a/glib/gfileutils.c
++++ b/glib/gfileutils.c
+@@ -1475,9 +1475,9 @@
+   static const char letters[] =
+     "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+   static const int NLETTERS = sizeof (letters) - 1;
+-  glong value;
+-  gint64 now_us;
+-  static int counter = 0;
++  guint64 value;
++  guint64 now_us;
++  static guint counter = 0;
+ 
+   g_return_val_if_fail (tmpl != NULL, -1);
+ 
+@@ -1496,7 +1496,7 @@
+ 
+   for (count = 0; count < 100; value += 7777, ++count)
+     {
+-      glong v = value;
++      guint64 v = value;
+ 
+       /* Fill in the random bits.  */
+       XXXXXX[0] = letters[v % NLETTERS];
+--
+GitLab
+
diff --git a/glib2.spec b/glib2.spec
index 27a271b..a4c85c7 100644
--- a/glib2.spec
+++ b/glib2.spec
@@ -1,6 +1,6 @@
 Name:           glib2
 Version:        2.66.8
-Release:        19
+Release:        20
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            http://www.gtk.org
@@ -79,6 +79,7 @@ Patch6067:      backport-CVE-2024-52533.patch
 patch6068:      backport-CVE-2025-4056.patch
 Patch6069:      backport-CVE-2025-3360.patch
 Patch6070:      backport-CVE-2025-4373.patch
+Patch6071:      backport-CVE-2025-7039.patch
 
 BuildRequires:  chrpath gcc gcc-c++ gettext perl-interpreter
 %ifnarch i686
@@ -251,6 +252,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %endif
 
 %changelog
+* Sat Aug 09 2025 Funda Wang <fundawang@yeah.net> - 2.66.8-20
+- fix CVE-2025-7039
+
 * Sat May 10 2025 Funda Wang <fundawang@yeah.net> - 2.66.8-19
 - fix CVE-2025-3360, CVE-2025-4373
 
-- 
Gitee