diff --git a/backport-0001-CVE-2021-28153.patch b/backport-0001-CVE-2021-28153.patch deleted file mode 100644 index 95cda13981543d86e63bd3e576e318ebf460fcce..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2021-28153.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 78420a75aeb70569a8cd79fa0fea7b786b6f785f Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Wed, 24 Feb 2021 17:33:38 +0000 -Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment - -Signed-off-by: Philip Withnall - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 ---- - gio/glocalfileoutputstream.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c -index f34c3e439..e3d31d6b3 100644 ---- a/gio/glocalfileoutputstream.c -+++ b/gio/glocalfileoutputstream.c -@@ -854,7 +854,7 @@ handle_overwrite_open (const char *filename, - mode = mode_from_flags_or_info (flags, reference_info); - - /* We only need read access to the original file if we are creating a backup. -- * We also add O_CREATE to avoid a race if the file was just removed */ -+ * We also add O_CREAT to avoid a race if the file was just removed */ - if (create_backup || readable) - open_flags = O_RDWR | O_CREAT | O_BINARY; - else --- -GitLab diff --git a/backport-0002-CVE-2021-28153.patch b/backport-0002-CVE-2021-28153.patch deleted file mode 100644 index fbfc9f0269102e530a8a6593e2351af087eff076..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-28153.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 32d3d02a50e7dcec5f4cf7908e7ac88d575d8fc5 Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Wed, 24 Feb 2021 17:34:32 +0000 -Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since a following commit is going to add a new test which references -Gitlab, so it鈥檚 best to move the URI bases inside the test cases. - -Signed-off-by: Philip Withnall - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 ---- - gio/tests/file.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/gio/tests/file.c b/gio/tests/file.c -index d8769656c..39d51dadb 100644 ---- a/gio/tests/file.c -+++ b/gio/tests/file.c -@@ -686,7 +686,7 @@ test_replace_cancel (void) - guint count; - GError *error = NULL; - -- g_test_bug ("629301"); -+ g_test_bug ("https://bugzilla.gnome.org/629301"); - - path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error); - g_assert_no_error (error); -@@ -1785,8 +1785,6 @@ main (int argc, char *argv[]) - { - g_test_init (&argc, &argv, NULL); - -- g_test_bug_base ("http://bugzilla.gnome.org/"); -- - g_test_add_func ("/file/basic", test_basic); - g_test_add_func ("/file/build-filename", test_build_filename); - g_test_add_func ("/file/parent", test_parent); --- -GitLab diff --git a/backport-0003-CVE-2021-28153.patch b/backport-0003-CVE-2021-28153.patch deleted file mode 100644 index 3af74bffc1010d6333f62e62972ea1937723dd93..0000000000000000000000000000000000000000 --- a/backport-0003-CVE-2021-28153.patch +++ /dev/null @@ -1,59 +0,0 @@ -From ce0eb088a68171eed3ac217cb92a72e36eb57d1b Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Wed, 10 Mar 2021 16:05:55 +0000 -Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check - -This clarifies the code a little. It introduces no functional changes. - -Signed-off-by: Philip Withnall - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 ---- - gio/glocalfileoutputstream.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c -index beb8fee..8b087f7 100644 ---- a/gio/glocalfileoutputstream.c -+++ b/gio/glocalfileoutputstream.c -@@ -847,6 +847,7 @@ handle_overwrite_open (const char *filename, - int res; - int mode; - int errsv; -+ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION); - - mode = mode_from_flags_or_info (flags, reference_info); - -@@ -953,8 +954,8 @@ handle_overwrite_open (const char *filename, - * The second strategy consist simply in copying the old file - * to a backup file and rewrite the contents of the file. - */ -- -- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) || -+ -+ if (replace_destination_set || - (!(original_stat.st_nlink > 1) && !is_symlink)) - { - char *dirname, *tmp_filename; -@@ -973,7 +974,7 @@ handle_overwrite_open (const char *filename, - - /* try to keep permissions (unless replacing) */ - -- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) && -+ if (!replace_destination_set && - ( - #ifdef HAVE_FCHOWN - fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 || -@@ -1112,7 +1113,7 @@ handle_overwrite_open (const char *filename, - } - } - -- if (flags & G_FILE_CREATE_REPLACE_DESTINATION) -+ if (replace_destination_set) - { - g_close (fd, NULL); - --- -2.23.0 - diff --git a/backport-0004-CVE-2021-28153.patch b/backport-0004-CVE-2021-28153.patch deleted file mode 100644 index df0f68f45ea9bf534199dc7e619542ed292ba7f1..0000000000000000000000000000000000000000 --- a/backport-0004-CVE-2021-28153.patch +++ /dev/null @@ -1,283 +0,0 @@ -From 317b3b587058a05dca95d56dac26568c5b098d33 Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Wed, 24 Feb 2021 17:36:07 +0000 -Subject: [PATCH 4/5] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION - with symlinks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking -the destination file and re-creating it from scratch. That did -previously work, but in the process the code would call `open(O_CREAT)` -on the file. If the file was a dangling symlink, this would create the -destination file (empty). That鈥檚 not an intended side-effect, and has -security implications if the symlink is controlled by a lower-privileged -process. - -Fix that by not opening the destination file if it鈥檚 a symlink, and -adjusting the rest of the code to cope with - - the fact that `fd == -1` is not an error iff `is_symlink` is true, - - and that `original_stat` will contain the `lstat()` results for the - symlink now, rather than the `stat()` results for its target (again, - iff `is_symlink` is true). - -This means that the target of the dangling symlink is no longer created, -which was the bug. The symlink itself continues to be replaced (as -before) with the new file 鈥� this is the intended behaviour of -`g_file_replace()`. - -The behaviour for non-symlink cases, or cases where the symlink was not -dangling, should be unchanged. - -Includes a unit test. - -Signed-off-by: Philip Withnall - -Fixes: #2325 - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 - ---- - gio/glocalfileoutputstream.c | 65 +++++++++++++++------ - gio/tests/file.c | 108 +++++++++++++++++++++++++++++++++++ - 2 files changed, 156 insertions(+), 17 deletions(-) - -diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c -index 8b087f7..e6edb5e 100644 ---- a/gio/glocalfileoutputstream.c -+++ b/gio/glocalfileoutputstream.c -@@ -875,16 +875,22 @@ handle_overwrite_open (const char *filename, - /* Could be a symlink, or it could be a regular ELOOP error, - * but then the next open will fail too. */ - is_symlink = TRUE; -- fd = g_open (filename, open_flags, mode); -+ if (!replace_destination_set) -+ fd = g_open (filename, open_flags, mode); - } --#else -- fd = g_open (filename, open_flags, mode); -- errsv = errno; -+#else /* if !O_NOFOLLOW */ - /* This is racy, but we do it as soon as possible to minimize the race */ - is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); -+ -+ if (!is_symlink || !replace_destination_set) -+ { -+ fd = g_open (filename, open_flags, mode); -+ errsv = errno; -+ } - #endif - -- if (fd == -1) -+ if (fd == -1 && -+ (!is_symlink || !replace_destination_set)) - { - char *display_name = g_filename_display_name (filename); - g_set_error (error, G_IO_ERROR, -@@ -894,13 +900,26 @@ handle_overwrite_open (const char *filename, - g_free (display_name); - return -1; - } -- -+ -+ if (!is_symlink) -+ { - #ifdef G_OS_WIN32 -- res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); -+ res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); - #else -- res = fstat (fd, &original_stat); -+ res = fstat (fd, &original_stat); - #endif -- errsv = errno; -+ errsv = errno; -+ } -+ else -+ { -+#ifdef G_OS_WIN32 -+ res = GLIB_PRIVATE_CALL (g_win32_fstat) (filename, &original_stat); -+#else -+ res = fstat (filename, &original_stat); -+#endif -+ errsv = errno; -+ } -+ - - if (res != 0) - { -@@ -917,16 +936,27 @@ handle_overwrite_open (const char *filename, - if (!S_ISREG (original_stat.st_mode)) - { - if (S_ISDIR (original_stat.st_mode)) -- g_set_error_literal (error, -- G_IO_ERROR, -- G_IO_ERROR_IS_DIRECTORY, -- _("Target file is a directory")); -- else -- g_set_error_literal (error, -+ { -+ g_set_error_literal (error, -+ G_IO_ERROR, -+ G_IO_ERROR_IS_DIRECTORY, -+ _("Target file is a directory")); -+ goto err_out; -+ } -+ else if (!is_symlink || -+#ifdef S_ISLNK -+ !S_ISLNK (original_stat.st_mode) -+#else -+ FALSE -+#endif -+ ) -+ { -+ g_set_error_literal (error, - G_IO_ERROR, - G_IO_ERROR_NOT_REGULAR_FILE, - _("Target file is not a regular file")); -- goto err_out; -+ goto err_out; -+ } - } - - if (etag != NULL) -@@ -1007,7 +1037,8 @@ handle_overwrite_open (const char *filename, - } - } - -- g_close (fd, NULL); -+ if (fd >= 0) -+ g_close (fd, NULL); - *temp_filename = tmp_filename; - return tmpfd; - } -diff --git a/gio/tests/file.c b/gio/tests/file.c -index d51ac6d..51b665f 100644 ---- a/gio/tests/file.c -+++ b/gio/tests/file.c -@@ -804,6 +804,113 @@ test_replace_cancel (void) - g_object_unref (tmpdir); - } - -+static void -+test_replace_symlink (void) -+{ -+#ifdef G_OS_UNIX -+ gchar *tmpdir_path = NULL; -+ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; -+ GFileOutputStream *stream = NULL; -+ const gchar *new_contents = "this is a test message which should be written to source and not target"; -+ gsize n_written; -+ GFileEnumerator *enumerator = NULL; -+ GFileInfo *info = NULL; -+ gchar *contents = NULL; -+ gsize length = 0; -+ GError *local_error = NULL; -+ -+ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325"); -+ g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks"); -+ -+ /* Create a fresh, empty working directory. */ -+ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); -+ g_assert_no_error (local_error); -+ tmpdir = g_file_new_for_path (tmpdir_path); -+ -+ g_test_message ("Using temporary directory %s", tmpdir_path); -+ g_free (tmpdir_path); -+ -+ /* Create symlink `source` which points to `target`. */ -+ source_file = g_file_get_child (tmpdir, "source"); -+ target_file = g_file_get_child (tmpdir, "target"); -+ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); -+ g_assert_no_error (local_error); -+ -+ /* Ensure that `target` doesn’t exist */ -+ g_assert_false (g_file_query_exists (target_file, NULL)); -+ -+ /* Replace the `source` symlink with a regular file using -+ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* -+ * following the symlink */ -+ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, -+ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); -+ g_assert_no_error (local_error); -+ -+ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), -+ &n_written, NULL, &local_error); -+ g_assert_no_error (local_error); -+ g_assert_cmpint (n_written, ==, strlen (new_contents)); -+ -+ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); -+ g_assert_no_error (local_error); -+ -+ g_clear_object (&stream); -+ -+ /* At this point, there should still only be one file: `source`. It should -+ * now be a regular file. `target` should not exist. */ -+ enumerator = g_file_enumerate_children (tmpdir, -+ G_FILE_ATTRIBUTE_STANDARD_NAME "," -+ G_FILE_ATTRIBUTE_STANDARD_TYPE, -+ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); -+ g_assert_no_error (local_error); -+ -+ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); -+ g_assert_no_error (local_error); -+ g_assert_nonnull (info); -+ -+ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); -+ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); -+ -+ g_clear_object (&info); -+ -+ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); -+ g_assert_no_error (local_error); -+ g_assert_null (info); -+ -+ g_file_enumerator_close (enumerator, NULL, &local_error); -+ g_assert_no_error (local_error); -+ g_clear_object (&enumerator); -+ -+ /* Double-check that `target` doesn’t exist */ -+ g_assert_false (g_file_query_exists (target_file, NULL)); -+ -+ /* Check the content of `source`. */ -+ g_file_load_contents (source_file, -+ NULL, -+ &contents, -+ &length, -+ NULL, -+ &local_error); -+ g_assert_no_error (local_error); -+ g_assert_cmpstr (contents, ==, new_contents); -+ g_assert_cmpuint (length, ==, strlen (new_contents)); -+ g_free (contents); -+ -+ /* Tidy up. */ -+ g_file_delete (source_file, NULL, &local_error); -+ g_assert_no_error (local_error); -+ -+ g_file_delete (tmpdir, NULL, &local_error); -+ g_assert_no_error (local_error); -+ -+ g_clear_object (&target_file); -+ g_clear_object (&source_file); -+ g_clear_object (&tmpdir); -+#else /* if !G_OS_UNIX */ -+ g_test_skip ("Symlink replacement tests can only be run on Unix") -+#endif -+} -+ - static void - on_file_deleted (GObject *object, - GAsyncResult *result, -@@ -1752,6 +1859,7 @@ main (int argc, char *argv[]) - g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); - g_test_add_func ("/file/replace-load", test_replace_load); - g_test_add_func ("/file/replace-cancel", test_replace_cancel); -+ g_test_add_func ("/file/replace-symlink", test_replace_symlink); - g_test_add_func ("/file/async-delete", test_async_delete); - #ifdef G_OS_UNIX - g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); --- -2.23.0 - diff --git a/backport-0005-CVE-2021-28153.patch b/backport-0005-CVE-2021-28153.patch deleted file mode 100644 index 2e819beb4b690d8f46acbcc761f91a48e99c83bb..0000000000000000000000000000000000000000 --- a/backport-0005-CVE-2021-28153.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 6c6439261bc7a8a0627519848a7222b3e1bd4ffe Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Wed, 24 Feb 2021 17:42:24 +0000 -Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC flag to - replace() - -Signed-off-by: Philip Withnall - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 ---- - gio/glocalfileoutputstream.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c -index a2c7e3cc0..4c512ea81 100644 ---- a/gio/glocalfileoutputstream.c -+++ b/gio/glocalfileoutputstream.c -@@ -63,6 +63,12 @@ - #define O_BINARY 0 - #endif - -+#ifndef O_CLOEXEC -+#define O_CLOEXEC 0 -+#else -+#define HAVE_O_CLOEXEC 1 -+#endif -+ - struct _GLocalFileOutputStreamPrivate { - char *tmp_filename; - char *original_filename; -@@ -1239,7 +1245,7 @@ _g_local_file_output_stream_replace (const char *filename, - sync_on_close = FALSE; - - /* If the file doesn't exist, create it */ -- open_flags = O_CREAT | O_EXCL | O_BINARY; -+ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC; - if (readable) - open_flags |= O_RDWR; - else -@@ -1269,8 +1275,11 @@ _g_local_file_output_stream_replace (const char *filename, - set_error_from_open_errno (filename, error); - return NULL; - } -- -- -+#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD) -+ else -+ fcntl (fd, F_SETFD, FD_CLOEXEC); -+#endif -+ - stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL); - stream->priv->fd = fd; - stream->priv->sync_on_close = sync_on_close; --- -GitLab diff --git a/backport-CVE-2020-35457.patch b/backport-CVE-2020-35457.patch deleted file mode 100644 index 66b1b281e638f2653e62fdedc742ebf4fbcfecf6..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-35457.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 63c5b62f0a984fac9a9700b12f54fe878e016a5d Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Wed, 2 Sep 2020 12:38:09 +0100 -Subject: [PATCH] goption: Add a precondition to avoid GOptionEntry list - overflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -reason:Add a precondition to avoid GOptionEntry list overflow -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/63c5b62f0a984fac9a9700b12f54fe878e016a5d - -Signed-off-by: Philip Withnall - -Fixes: #2197 ---- - glib/goption.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/glib/goption.c b/glib/goption.c -index 9f5b977c4..bb9093a33 100644 ---- a/glib/goption.c -+++ b/glib/goption.c -@@ -2422,6 +2422,8 @@ g_option_group_add_entries (GOptionGroup *group, - - for (n_entries = 0; entries[n_entries].long_name != NULL; n_entries++) ; - -+ g_return_if_fail (n_entries <= G_MAXSIZE - group->n_entries); -+ - group->entries = g_renew (GOptionEntry, group->entries, group->n_entries + n_entries); - - /* group->entries could be NULL in the trivial case where we add no --- -GitLab - diff --git a/backport-CVE-2021-27218.patch b/backport-CVE-2021-27218.patch deleted file mode 100644 index 86f4cdb1c9bb6f7ed10dda6d4babbaea483079a3..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-27218.patch +++ /dev/null @@ -1,60 +0,0 @@ -From acb7b0ec69f26a7df10af3992359890b09f076e8 Mon Sep 17 00:00:00 2001 -From: Krzesimir Nowak -Date: Wed, 10 Feb 2021 23:51:07 +0100 -Subject: [PATCH] gbytearray: Do not accept too large byte arrays - -GByteArray uses guint for storing the length of the byte array, but it -also has a constructor (g_byte_array_new_take) that takes length as a -gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits -for guint). It is possible to call the function with a value greater -than G_MAXUINT, which will result in silent length truncation. This -may happen as a result of unreffing GBytes into GByteArray, so rather -be loud about it. - -(Test case tweaked by Philip Withnall.) ---- - glib/garray.c | 6 ++++++ - glib/gbytes.c | 4 ++++ - 2 files changed, 10 insertions(+) - -diff --git a/glib/garray.c b/glib/garray.c -index de720210c..2b66f16a6 100644 ---- a/glib/garray.c -+++ b/glib/garray.c -@@ -2261,6 +2261,10 @@ g_byte_array_steal (GByteArray *array, - * Create byte array containing the data. The data will be owned by the array - * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). - * -+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray -+ * stores the length of its data in #guint, which may be shorter than -+ * #gsize. -+ * - * Since: 2.32 - * - * Returns: (transfer full): a new #GByteArray -@@ -2272,6 +2276,8 @@ g_byte_array_new_take (guint8 *data, - GByteArray *array; - GRealArray *real; - -+ g_return_val_if_fail (len <= G_MAXUINT, NULL); -+ - array = g_byte_array_new (); - real = (GRealArray *)array; - g_assert (real->data == NULL); -diff --git a/glib/gbytes.c b/glib/gbytes.c -index 00fd79155..aaadf451b 100644 ---- a/glib/gbytes.c -+++ b/glib/gbytes.c -@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes, - * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all - * other cases the data is copied. - * -+ * Do not use it if @bytes contains more than %G_MAXUINT -+ * bytes. #GByteArray stores the length of its data in #guint, which -+ * may be shorter than #gsize, that @bytes is using. -+ * - * Returns: (transfer full): a new mutable #GByteArray containing the same byte data - * - * Since: 2.32 --- -GitLab diff --git a/backport-CVE-2021-27219.patch b/backport-CVE-2021-27219.patch deleted file mode 100644 index 8420bd7bf7e518c369fbd7c2e642a8131272d008..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-27219.patch +++ /dev/null @@ -1,808 +0,0 @@ -From f8cf0b8672209e0b829542e194e302f1de169929 Mon Sep 17 00:00:00 2001 -From: Philip Withnall -Date: Thu, 4 Feb 2021 13:30:52 +0000 -Subject: [PATCH 01/11] gstrfuncs: Add g_memdup2() function - -This will replace the existing `g_memdup()` function, which has an -unavoidable security flaw of taking its `byte_size` argument as a -`guint` rather than as a `gsize`. Most callers will expect it to be a -`gsize`, and may pass in large values which could silently be truncated, -resulting in an undersize allocation compared to what the caller -expects. - -This could lead to a classic buffer overflow vulnerability for many -callers of `g_memdup()`. - -`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`. - -Spotted by Kevin Backhouse of GHSL. - -Signed-off-by: Philip Withnall -Helps: GHSL-2021-045 -Helps: #2319 - -reason:Fix CVE-2021-27219 - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/20cfc75d148e3be0c026cc7eff3a9cdb72bf5c56 - -diff -Naur a/docs/reference/glib/glib-sections.txt b/docs/reference/glib/glib-sections.txt ---- a/docs/reference/glib/glib-sections.txt 2021-03-06 09:46:03.657000000 +0800 -+++ b/docs/reference/glib/glib-sections.txt 2021-03-05 14:58:36.022000000 +0800 -@@ -1275,6 +1275,7 @@ - - g_memmove - g_memdup -+g_memdup2 - - - GMemVTable -diff -Naur a/gio/gdatainputstream.c b/gio/gdatainputstream.c ---- a/gio/gdatainputstream.c 2021-03-06 09:46:03.661000000 +0800 -+++ b/gio/gdatainputstream.c 2021-03-05 15:10:26.335000000 +0800 -@@ -856,7 +856,7 @@ - scan_for_chars (GDataInputStream *stream, - gsize *checked_out, - const char *stop_chars, -- gssize stop_chars_len) -+ gsize stop_chars_len) - { - GBufferedInputStream *bstream; - const char *buffer; -@@ -952,7 +952,7 @@ - gsize checked; - - gchar *stop_chars; -- gssize stop_chars_len; -+ gsize stop_chars_len; - gsize length; - } GDataInputStreamReadData; - -@@ -1078,12 +1078,16 @@ - { - GDataInputStreamReadData *data; - GTask *task; -+ gsize stop_chars_len_unsigned; - - data = g_slice_new0 (GDataInputStreamReadData); -- if (stop_chars_len == -1) -- stop_chars_len = strlen (stop_chars); -- data->stop_chars = g_memdup (stop_chars, stop_chars_len); -- data->stop_chars_len = stop_chars_len; -+ if (stop_chars_len < 0) -+ stop_chars_len_unsigned = strlen (stop_chars); -+ else -+ stop_chars_len_unsigned = (gsize) stop_chars_len; -+ -+ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned); -+ data->stop_chars_len = stop_chars_len_unsigned; - data->last_saw_cr = FALSE; - - task = g_task_new (stream, cancellable, callback, user_data); -@@ -1338,17 +1342,20 @@ - gssize found_pos; - gssize res; - char *data_until; -+ gsize stop_chars_len_unsigned; - - g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL); - - if (stop_chars_len < 0) -- stop_chars_len = strlen (stop_chars); -+ stop_chars_len_unsigned = strlen (stop_chars); -+ else -+ stop_chars_len_unsigned = (gsize) stop_chars_len; - - bstream = G_BUFFERED_INPUT_STREAM (stream); - - checked = 0; - -- while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1) -+ while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1) - { - if (g_buffered_input_stream_get_available (bstream) == - g_buffered_input_stream_get_buffer_size (bstream)) -diff -Naur a/gio/gdbusconnection.c b/gio/gdbusconnection.c ---- a/gio/gdbusconnection.c 2021-03-06 09:46:03.663000000 +0800 -+++ b/gio/gdbusconnection.c 2021-03-05 15:14:19.973000000 +0800 -@@ -3997,7 +3997,7 @@ - /* Don't waste memory by copying padding - remember to update this - * when changing struct _GDBusInterfaceVTable in gdbusconnection.h - */ -- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); -+ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); - } - - static void -@@ -4014,7 +4014,7 @@ - /* Don't waste memory by copying padding - remember to update this - * when changing struct _GDBusSubtreeVTable in gdbusconnection.h - */ -- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); -+ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); - } - - static void -diff -Naur a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c ---- a/gio/gdbusinterfaceskeleton.c 2021-03-06 09:46:03.663000000 +0800 -+++ b/gio/gdbusinterfaceskeleton.c 2021-03-05 15:36:52.369000000 +0800 -@@ -701,7 +701,7 @@ - * properly before building the hooked_vtable, so we create it - * once at the last minute. - */ -- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); -+ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); - interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; - } - -diff -Naur a/gio/gfile.c b/gio/gfile.c ---- a/gio/gfile.c 2021-03-06 09:46:03.666000000 +0800 -+++ b/gio/gfile.c 2021-03-05 15:44:25.759000000 +0800 -@@ -7884,7 +7884,7 @@ - g_main_context_invoke_full (g_task_get_context (task), - g_task_get_priority (task), - measure_disk_usage_invoke_progress, -- g_memdup (&progress, sizeof progress), -+ g_memdup2 (&progress, sizeof progress), - g_free); - } - -@@ -7902,7 +7902,7 @@ - data->progress_callback ? measure_disk_usage_progress : NULL, task, - &result.disk_usage, &result.num_dirs, &result.num_files, - &error)) -- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); -+ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); - else - g_task_return_error (task, error); - } -@@ -7926,7 +7926,7 @@ - - task = g_task_new (file, cancellable, callback, user_data); - g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); -- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); -+ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); - g_task_set_priority (task, io_priority); - - g_task_run_in_thread (task, measure_disk_usage_thread); -diff -Naur a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c ---- a/gio/gkeyfilesettingsbackend.c 2021-03-06 09:46:03.670000000 +0800 -+++ b/gio/gkeyfilesettingsbackend.c 2021-03-05 17:24:26.933000000 +0800 -@@ -145,8 +145,8 @@ - gchar **group, - gchar **basename) - { -- gint key_len = strlen (key); -- gint i; -+ gsize key_len = strlen (key); -+ const gchar *last_slash; - - if (key_len < kfsb->prefix_len || - memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0) -@@ -155,38 +155,36 @@ - key_len -= kfsb->prefix_len; - key += kfsb->prefix_len; - -- for (i = key_len; i >= 0; i--) -- if (key[i] == '/') -- break; -+ last_slash = strrchr (key, '/'); - - if (kfsb->root_group) - { - /* if a root_group was specified, make sure the user hasn't given - * a path that ghosts that group name - */ -- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0) -+ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0) - return FALSE; - } - else - { - /* if no root_group was given, ensure that the user gave a path */ -- if (i == -1) -+ if (last_slash == NULL) - return FALSE; - } - - if (group) - { -- if (i >= 0) -+ if (last_slash != NULL) - { -- *group = g_memdup (key, i + 1); -- (*group)[i] = '\0'; -+ *group = g_memdup2 (key, (last_slash - key) + 1); -+ (*group)[(last_slash - key)] = '\0'; - } - else - *group = g_strdup (kfsb->root_group); - } - - if (basename) -- *basename = g_memdup (key + i + 1, key_len - i); -+ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); - - return TRUE; - } -diff -Naur a/gio/gsettingsschema.c b/gio/gsettingsschema.c ---- a/gio/gsettingsschema.c 2021-03-06 09:46:03.675000000 +0800 -+++ b/gio/gsettingsschema.c 2021-03-05 16:08:24.724000000 +0800 -@@ -1058,9 +1058,9 @@ - - if (g_str_has_suffix (key, "/")) - { -- gint length = strlen (key); -+ gsize length = strlen (key); - -- strv[j] = g_memdup (key, length); -+ strv[j] = g_memdup2 (key, length); - strv[j][length - 1] = '\0'; - j++; - } -diff -Naur a/gio/gsocket.c b/gio/gsocket.c ---- a/gio/gsocket.c 2021-03-06 09:46:03.675000000 +0800 -+++ b/gio/gsocket.c 2021-03-05 16:34:42.236000000 +0800 -@@ -174,7 +174,7 @@ - GError **error); - - static GSocketAddress * --cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len); -+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len); - - static gssize - g_socket_receive_message_with_timeout (GSocket *socket, -@@ -260,7 +260,7 @@ - struct { - GSocketAddress *addr; - struct sockaddr *native; -- gint native_len; -+ gsize native_len; - guint64 last_used; - } recv_addr_cache[RECV_ADDR_CACHE_SIZE]; - }; -@@ -5211,14 +5211,14 @@ - } - - static GSocketAddress * --cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) -+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len) - { - GSocketAddress *saddr; - gint i; - guint64 oldest_time = G_MAXUINT64; - gint oldest_index = 0; - -- if (native_len <= 0) -+ if (native_len == 0) - return NULL; - - saddr = NULL; -@@ -5226,7 +5226,7 @@ - { - GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr; - gpointer tmp_native = socket->priv->recv_addr_cache[i].native; -- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len; -+ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len; - - if (!tmp) - continue; -@@ -5256,7 +5256,7 @@ - g_free (socket->priv->recv_addr_cache[oldest_index].native); - } - -- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len); -+ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len); - socket->priv->recv_addr_cache[oldest_index].native_len = native_len; - socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr); - socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time (); -@@ -5404,6 +5404,9 @@ - /* do it */ - while (1) - { -+ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */ -+ G_STATIC_ASSERT (sizeof addr <= G_MAXINT); -+ - addrlen = sizeof addr; - if (address) - result = WSARecvFrom (socket->priv->fd, -diff -Naur a/gio/gtlspassword.c b/gio/gtlspassword.c ---- a/gio/gtlspassword.c 2021-03-06 09:46:03.678000000 +0800 -+++ b/gio/gtlspassword.c 2021-03-05 16:36:55.266000000 +0800 -@@ -287,9 +287,14 @@ - g_return_if_fail (G_IS_TLS_PASSWORD (password)); - - if (length < 0) -- length = strlen ((gchar *)value); -+ { -+ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ -+ gsize length_unsigned = strlen ((gchar *) value); -+ g_return_if_fail (length_unsigned > G_MAXSSIZE); -+ length = (gssize) length_unsigned; -+ } - -- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free); -+ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free); - } - - /** -diff -Naur a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c ---- a/gio/gwin32registrykey.c 2021-03-06 09:46:03.680000000 +0800 -+++ b/gio/gwin32registrykey.c 2021-03-05 16:43:04.459000000 +0800 -@@ -125,16 +125,34 @@ - G_WIN32_REGISTRY_UPDATED_PATH = 1, - } GWin32RegistryKeyUpdateFlag; - -+static gsize -+g_utf16_len (const gunichar2 *str) -+{ -+ gsize result; -+ -+ for (result = 0; str[0] != 0; str++, result++) -+ ; -+ -+ return result; -+} -+ - static gunichar2 * --g_wcsdup (const gunichar2 *str, -- gssize str_size) -+g_wcsdup (const gunichar2 *str, gssize str_len) - { -- if (str_size == -1) -- { -- str_size = wcslen (str) + 1; -- str_size *= sizeof (gunichar2); -- } -- return g_memdup (str, str_size); -+ gsize str_len_unsigned; -+ gsize str_size; -+ -+ g_return_val_if_fail (str != NULL, NULL); -+ -+ if (str_len < 0) -+ str_len_unsigned = g_utf16_len (str); -+ else -+ str_len_unsigned = (gsize) str_len; -+ -+ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); -+ str_size = (str_len_unsigned + 1) * sizeof (gunichar2); -+ -+ return g_memdup2 (str, str_size); - } - - /** -@@ -247,7 +265,7 @@ - new_iter->value_name_size = iter->value_name_size; - - if (iter->value_data != NULL) -- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); -+ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); - - new_iter->value_data_size = iter->value_data_size; - -@@ -268,8 +286,8 @@ - new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; - - if (iter->value_data_expanded_u8 != NULL) -- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, -- iter->value_data_expanded_charsize); -+ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, -+ iter->value_data_expanded_charsize); - - new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; - -diff -Naur a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c ---- a/gio/tests/async-close-output-stream.c 2021-03-06 09:46:03.682000000 +0800 -+++ b/gio/tests/async-close-output-stream.c 2021-03-05 16:54:17.745000000 +0800 -@@ -147,9 +147,9 @@ - - data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); - -- g_assert_cmpint (data->expected_size, >, 0); -+ g_assert_cmpuint (data->expected_size, >, 0); - -- data->expected_output = g_memdup (written, (guint)data->expected_size); -+ data->expected_output = g_memdup2 (written, data->expected_size); - - /* then recreate the streams and prepare them for the asynchronous close */ - destroy_streams (data); -diff -Naur a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c ---- a/gio/tests/gdbus-export.c 2021-03-06 09:46:03.685000000 +0800 -+++ b/gio/tests/gdbus-export.c 2021-03-05 16:56:17.247000000 +0800 -@@ -671,7 +671,7 @@ - g_assert_not_reached (); - } - -- return g_memdup (interfaces, 2 * sizeof (void *)); -+ return g_memdup2 (interfaces, 2 * sizeof (void *)); - } - - static const GDBusInterfaceVTable * -@@ -727,7 +727,7 @@ - { - const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; - -- return g_memdup (interfaces, 2 * sizeof (void *)); -+ return g_memdup2 (interfaces, 2 * sizeof (void *)); - } - - static const GDBusInterfaceVTable * -diff -Naur a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c ---- a/gio/win32/gwinhttpfile.c 2021-03-06 09:46:03.693000000 +0800 -+++ b/gio/win32/gwinhttpfile.c 2021-03-05 16:58:28.076000000 +0800 -@@ -393,10 +393,10 @@ - child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); - child->vfs = winhttp_file->vfs; - child->url = winhttp_file->url; -- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); -- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); -- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); -- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); -+ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); -+ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); -+ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); -+ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); - child->url.lpszUrlPath = wnew_path; - child->url.dwUrlPathLength = wcslen (wnew_path); - child->url.lpszExtraInfo = NULL; -diff -Naur a/glib/gbytes.c b/glib/gbytes.c ---- a/glib/gbytes.c 2021-03-06 09:46:03.721000000 +0800 -+++ b/glib/gbytes.c 2021-03-05 17:29:25.481000000 +0800 -@@ -95,7 +95,7 @@ - { - g_return_val_if_fail (data != NULL || size == 0, NULL); - -- return g_bytes_new_take (g_memdup (data, size), size); -+ return g_bytes_new_take (g_memdup2 (data, size), size); - } - - /** -@@ -499,7 +499,7 @@ - * Copy: Non g_malloc (or compatible) allocator, or static memory, - * so we have to copy, and then unref. - */ -- result = g_memdup (bytes->data, bytes->size); -+ result = g_memdup2 (bytes->data, bytes->size); - *size = bytes->size; - g_bytes_unref (bytes); - } -diff -Naur a/glib/gdir.c b/glib/gdir.c ---- a/glib/gdir.c 2021-03-06 09:46:03.696000000 +0800 -+++ b/glib/gdir.c 2021-03-06 09:11:06.646000000 +0800 -@@ -112,7 +112,7 @@ - return NULL; - #endif - -- return g_memdup (&dir, sizeof dir); -+ return g_memdup2 (&dir, sizeof dir); - } - - /** -diff -Naur a/glib/ghash.c b/glib/ghash.c ---- a/glib/ghash.c 2021-03-06 09:46:03.697000000 +0800 -+++ b/glib/ghash.c 2021-03-06 09:12:58.243000000 +0800 -@@ -964,7 +964,7 @@ - if (hash_table->have_big_keys) - { - if (key != value) -- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); -+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); - /* Keys and values are both big now, so no need for further checks */ - return; - } -@@ -972,7 +972,7 @@ - { - if (key != value) - { -- hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size); -+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size); - is_a_set = FALSE; - } - } -@@ -1000,7 +1000,7 @@ - - /* Just split if necessary */ - if (is_a_set && key != value) -- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); -+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); - - #endif - } -diff -Naur a/glib/giochannel.c b/glib/giochannel.c ---- a/glib/giochannel.c 2021-03-06 09:46:03.697000000 +0800 -+++ b/glib/giochannel.c 2021-03-06 09:20:11.237000000 +0800 -@@ -883,16 +883,25 @@ - const gchar *line_term, - gint length) - { -+ guint length_unsigned; -+ - g_return_if_fail (channel != NULL); - g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */ - - if (line_term == NULL) -- length = 0; -- else if (length < 0) -- length = strlen (line_term); -+ length_unsigned = 0; -+ else if (length >= 0) -+ length_unsigned = (guint) length; -+ else -+ { -+ /* FIXME: We’re constrained by line_term_len being a guint here */ -+ gsize length_size = strlen (line_term); -+ g_return_if_fail (length_size > G_MAXUINT); -+ length_unsigned = (guint) length_size; -+ } - - g_free (channel->line_term); -- channel->line_term = line_term ? g_memdup (line_term, length) : NULL; -+ channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; - channel->line_term_len = length; - } - -diff -Naur a/glib/gstrfuncs.c b/glib/gstrfuncs.c ---- a/glib/gstrfuncs.c 2021-03-06 09:46:03.703000000 +0800 -+++ b/glib/gstrfuncs.c 2021-03-06 09:21:27.836000000 +0800 -@@ -398,6 +398,38 @@ - } - - /** -+ * g_memdup2: -+ * @mem: (nullable): the memory to copy. -+ * @byte_size: the number of bytes to copy. -+ * -+ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it -+ * from @mem. If @mem is %NULL it returns %NULL. -+ * -+ * This replaces g_memdup(), which was prone to integer overflows when -+ * converting the argument from a #gsize to a #guint. -+ * -+ * Returns: (nullable): a pointer to the newly-allocated copy of the memory, -+ * or %NULL if @mem is %NULL. -+ * Since: 2.68 -+ */ -+gpointer -+g_memdup2 (gconstpointer mem, -+ gsize byte_size) -+{ -+ gpointer new_mem; -+ -+ if (mem && byte_size != 0) -+ { -+ new_mem = g_malloc (byte_size); -+ memcpy (new_mem, mem, byte_size); -+ } -+ else -+ new_mem = NULL; -+ -+ return new_mem; -+} -+ -+/** - * g_strndup: - * @str: the string to duplicate - * @n: the maximum number of bytes to copy from @str -diff -Naur a/glib/gstrfuncs.h b/glib/gstrfuncs.h ---- a/glib/gstrfuncs.h 2021-03-06 09:46:03.703000000 +0800 -+++ b/glib/gstrfuncs.h 2021-03-06 09:23:07.268000000 +0800 -@@ -257,6 +257,10 @@ - gpointer g_memdup (gconstpointer mem, - guint byte_size) G_GNUC_ALLOC_SIZE(2); - -+GLIB_AVAILABLE_IN_ALL -+gpointer g_memdup2 (gconstpointer mem, -+ gsize byte_size) G_GNUC_ALLOC_SIZE(2); -+ - /* NULL terminated string arrays. - * g_strsplit(), g_strsplit_set() split up string into max_tokens tokens - * at delim and return a newly allocated string array. -diff -Naur a/glib/gtestutils.c b/glib/gtestutils.c ---- a/glib/gtestutils.c 2021-03-06 09:46:03.704000000 +0800 -+++ b/glib/gtestutils.c 2021-03-06 09:24:38.454000000 +0800 -@@ -3801,7 +3801,7 @@ - if (p <= tbuffer->data->str + mlength) - { - g_string_erase (tbuffer->data, 0, mlength); -- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); -+ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); - return TRUE; - } - -diff -Naur a/glib/gvariant.c b/glib/gvariant.c ---- a/glib/gvariant.c 2021-03-06 09:46:03.709000000 +0800 -+++ b/glib/gvariant.c 2021-03-06 09:26:50.164000000 +0800 -@@ -725,7 +725,7 @@ - g_variant_ref_sink (value); - - return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, -- g_memdup (&value, sizeof value), -+ g_memdup2 (&value, sizeof value), - 1, g_variant_is_trusted (value)); - } - -@@ -1229,7 +1229,7 @@ - return NULL; - } - -- data = g_memdup (elements, n_elements * element_size); -+ data = g_memdup2 (elements, n_elements * element_size); - value = g_variant_new_from_data (array_type, data, - n_elements * element_size, - FALSE, g_free, data); -@@ -1908,7 +1908,7 @@ - if (length) - *length = size; - -- return g_memdup (original, size + 1); -+ return g_memdup2 (original, size + 1); - } - - /** -diff -Naur a/glib/gvarianttype.c b/glib/gvarianttype.c ---- a/glib/gvarianttype.c 2021-03-06 09:46:03.709000000 +0800 -+++ b/glib/gvarianttype.c 2021-03-06 09:28:03.190000000 +0800 -@@ -1181,7 +1181,7 @@ - g_assert (offset < sizeof buffer); - buffer[offset++] = ')'; - -- return (GVariantType *) g_memdup (buffer, offset); -+ return (GVariantType *) g_memdup2 (buffer, offset); - } - - /** -diff -Naur a/glib/tests/array-test.c b/glib/tests/array-test.c ---- a/glib/tests/array-test.c 2021-03-06 09:46:03.712000000 +0800 -+++ b/glib/tests/array-test.c 2021-03-06 09:28:56.467000000 +0800 -@@ -1616,7 +1616,7 @@ - GByteArray *gbarray; - guint8 *data; - -- data = g_memdup ("woooweeewow", 11); -+ data = g_memdup2 ("woooweeewow", 11); - gbarray = g_byte_array_new_take (data, 11); - g_assert (gbarray->data == data); - g_assert_cmpuint (gbarray->len, ==, 11); -diff -Naur a/glib/tests/option-context.c b/glib/tests/option-context.c ---- a/glib/tests/option-context.c 2021-03-06 09:46:03.719000000 +0800 -+++ b/glib/tests/option-context.c 2021-03-06 09:30:07.022000000 +0800 -@@ -256,7 +256,7 @@ - static char ** - copy_stringv (char **argv, int argc) - { -- return g_memdup (argv, sizeof (char *) * (argc + 1)); -+ return g_memdup2 (argv, sizeof (char *) * (argc + 1)); - } - - static void -@@ -2323,7 +2323,7 @@ - g_option_context_add_group (context, group); - - argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc); -- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *)); -+ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *)); - - retval = g_option_context_parse (context, &argc, &argv, &error); - -diff -Naur a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c ---- a/glib/tests/strfuncs.c 2021-03-06 09:46:03.720000000 +0800 -+++ b/glib/tests/strfuncs.c 2021-03-06 09:33:09.312000000 +0800 -@@ -219,6 +219,26 @@ - g_free (str_dup); - } - -+/* Testing g_memdup2() function with various positive and negative cases */ -+static void -+test_memdup2 (void) -+{ -+ gchar *str_dup = NULL; -+ const gchar *str = "The quick brown fox jumps over the lazy dog"; -+ -+ /* Testing negative cases */ -+ g_assert_null (g_memdup2 (NULL, 1024)); -+ g_assert_null (g_memdup2 (str, 0)); -+ g_assert_null (g_memdup2 (NULL, 0)); -+ -+ /* Testing normal usage cases */ -+ str_dup = g_memdup2 (str, strlen (str) + 1); -+ g_assert_nonnull (str_dup); -+ g_assert_cmpstr (str, ==, str_dup); -+ -+ g_free (str_dup); -+} -+ - /* Testing g_strpcpy() function with various positive and negative cases */ - static void - test_stpcpy (void) -@@ -2523,6 +2543,7 @@ - g_test_add_func ("/strfuncs/has-prefix", test_has_prefix); - g_test_add_func ("/strfuncs/has-suffix", test_has_suffix); - g_test_add_func ("/strfuncs/memdup", test_memdup); -+ g_test_add_func ("/strfuncs/memdup2", test_memdup2); - g_test_add_func ("/strfuncs/stpcpy", test_stpcpy); - g_test_add_func ("/strfuncs/str_match_string", test_str_match_string); - g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold); -diff -Naur a/gobject/gsignal.c b/gobject/gsignal.c ---- a/gobject/gsignal.c 2021-03-06 09:46:03.722000000 +0800 -+++ b/gobject/gsignal.c 2021-03-06 09:36:46.688000000 +0800 -@@ -1730,7 +1730,7 @@ - node->single_va_closure_is_valid = FALSE; - node->flags = signal_flags & G_SIGNAL_FLAGS_MASK; - node->n_params = n_params; -- node->param_types = g_memdup (param_types, sizeof (GType) * n_params); -+ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params); - node->return_type = return_type; - node->class_closure_bsa = NULL; - if (accumulator) -diff -Naur a/gobject/gtype.c b/gobject/gtype.c ---- a/gobject/gtype.c 2021-03-06 09:46:03.724000000 +0800 -+++ b/gobject/gtype.c 2021-03-06 09:38:47.030000000 +0800 -@@ -1470,7 +1470,7 @@ - iholder->next = iface_node_get_holders_L (iface); - iface_node_set_holders_W (iface, iholder); - iholder->instance_type = NODE_TYPE (node); -- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL; -+ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL; - iholder->plugin = plugin; - - /* create an iface entry for this type */ -@@ -1731,7 +1731,7 @@ - INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface)); - - check_interface_info_I (iface, instance_type, &tmp_info); -- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info)); -+ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info)); - } - - return iholder; /* we don't modify write lock upon returning NULL */ -@@ -2016,10 +2016,10 @@ - IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface); - - if (pentry) -- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size); -+ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size); - } - if (!vtable) -- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); -+ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); - entry->vtable = vtable; - vtable->g_type = NODE_TYPE (iface); - vtable->g_instance_type = NODE_TYPE (node); -diff -Naur a/gobject/gtypemodule.c b/gobject/gtypemodule.c ---- a/gobject/gtypemodule.c 2021-03-06 09:46:03.724000000 +0800 -+++ b/gobject/gtypemodule.c 2021-03-06 09:39:57.337000000 +0800 -@@ -436,7 +436,7 @@ - module_type_info->loaded = TRUE; - module_type_info->info = *type_info; - if (type_info->value_table) -- module_type_info->info.value_table = g_memdup (type_info->value_table, -+ module_type_info->info.value_table = g_memdup2 (type_info->value_table, - sizeof (GTypeValueTable)); - - return module_type_info->type; -diff -Naur a/gobject/tests/param.c b/gobject/tests/param.c ---- a/gobject/tests/param.c 2021-03-06 09:46:03.725000000 +0800 -+++ b/gobject/tests/param.c 2021-03-06 09:40:28.446000000 +0800 -@@ -851,7 +851,7 @@ - test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d", - data.change_this_flag, data.change_this_type, - data.use_this_flag, data.use_this_type); -- test_data = g_memdup (&data, sizeof (TestParamImplementData)); -+ test_data = g_memdup2 (&data, sizeof (TestParamImplementData)); - g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free); - g_free (test_path); - } -diff -Naur a/gio/gwin32appinfo.c b/gio/gwin32appinfo.c -index 9f335b3..2a0fe38 100644 ---- a/gio/gwin32appinfo.c -+++ b/gio/gwin32appinfo.c -@@ -472,7 +472,7 @@ g_wcsdup (const gunichar2 *str, gssize str_size) - str_size = wcslen (str) + 1; - str_size *= sizeof (gunichar2); - } -- return g_memdup (str, str_size); -+ return g_memdup2 (str, str_size); - } - - #define URL_ASSOCIATIONS L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\" diff --git a/fix-accidentally-delete-temp-file-within-dtrace.patch b/fix-accidentally-delete-temp-file-within-dtrace.patch deleted file mode 100644 index e3eea52b7b7cf9115edb4c6972865043029952ba..0000000000000000000000000000000000000000 --- a/fix-accidentally-delete-temp-file-within-dtrace.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c89133504b600c653d56e56648764e49f5f127cc Mon Sep 17 00:00:00 2001 -From: hexiujun -Date: Mon, 2 Mar 2020 10:49:04 +0800 -Subject: [PATCH] fix accidentally delete temp file within dtrace - ---- - meson.build | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/meson.build b/meson.build -index d1551bd..4e56f06 100644 ---- a/meson.build -+++ b/meson.build -@@ -2066,12 +2066,12 @@ if want_dtrace - # FIXME: autotools build also passes -fPIC -DPIC but is it needed in this case? - dtrace_obj_gen = generator(dtrace, - output : '@BASENAME@.o', -- arguments : ['-G', '-s', '@INPUT@', '-o', '@OUTPUT@']) -+ arguments : ['-G', '-k', '-s', '@INPUT@', '-o', '@OUTPUT@']) - # FIXME: $(SED) -e "s,define STAP_HAS_SEMAPHORES 1,undef STAP_HAS_SEMAPHORES," - # -e "s,define _SDT_HAS_SEMAPHORES 1,undef _SDT_HAS_SEMAPHORES," - dtrace_hdr_gen = generator(dtrace, - output : '@BASENAME@.h', -- arguments : ['-h', '-s', '@INPUT@', '-o', '@OUTPUT@']) -+ arguments : ['-h', '-k', '-s', '@INPUT@', '-o', '@OUTPUT@']) - glib_conf.set('HAVE_DTRACE', 1) - enable_dtrace = true - endif --- -1.8.3.1 - diff --git a/glib-2.62.5.tar.xz b/glib-2.66.8.tar.xz similarity index 39% rename from glib-2.62.5.tar.xz rename to glib-2.66.8.tar.xz index f8ab5fa4fdd911c05262f16e9aa9e922a356afd9..967f3dfc0e89c66aa7f6846c05d8a49115795813 100644 Binary files a/glib-2.62.5.tar.xz and b/glib-2.66.8.tar.xz differ diff --git a/glib2.spec b/glib2.spec index 57ab985dafc61b24efe621b79370a56fd829e97e..c1cbb6dc15d52a0b96e7ae67168e3658596c7dbc 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,20 +1,10 @@ Name: glib2 -Version: 2.62.5 -Release: 5 +Version: 2.66.8 +Release: 1 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: http://www.gtk.org -Source0: http://download.gnome.org/sources/glib/2.62/glib-%{version}.tar.xz - -Patch9001: fix-accidentally-delete-temp-file-within-dtrace.patch -Patch6000: backport-CVE-2020-35457.patch -Patch6001: backport-CVE-2021-27218.patch -Patch6002: backport-CVE-2021-27219.patch -Patch6003: backport-0001-CVE-2021-28153.patch -Patch6004: backport-0002-CVE-2021-28153.patch -Patch6005: backport-0003-CVE-2021-28153.patch -Patch6006: backport-0004-CVE-2021-28153.patch -Patch6007: backport-0005-CVE-2021-28153.patch +Source0: http://download.gnome.org/sources/glib/2.66/glib-%{version}.tar.xz BuildRequires: chrpath gcc gcc-c++ gettext gtk-doc perl-interpreter BUildRequires: glibc-devel libattr-devel libselinux-devel meson @@ -109,7 +99,6 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/bash-completion/completions/gsettings %{_bindir}/gio -%{_bindir}/gio-launch-desktop %{_bindir}/gio-querymodules* %{_bindir}/glib-compile-schemas %{_bindir}/gsettings @@ -151,6 +140,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %doc %{_datadir}/gtk-doc/html/* %changelog +* Wed May 19 2021 weijin deng - 2.66.8-1 +- Upgrade to 2.66.8 +- Update Version, Release +- Delete patch files, delete gio-launch-desktop(not exist in 2.66.8) +- Correct date, make it match weekday + * Tue Apr 13 2021 hanhui - 2.62.5-5 - Type:cve - Id:CVE-2021-28153 @@ -175,7 +170,7 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : - SUG:NA - DESC:fix CVE-2020-35457 -* Thu Jul 21 2020 hanhui - 2.62.5-1 +* Tue Jul 21 2020 hanhui - 2.62.5-1 - Update to 2.62.5 * Mon Mar 2 2020 hexiujun - 2.62.1-4