diff --git a/glib2.spec b/glib2.spec index 07d07159548c6fcb2507a37f2f712782aae44821..1f17f43c7f7a84ffa3368a01d07f99d83898fc0b 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.72.2 -Release: 14 +Release: 15 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: http://www.gtk.org @@ -79,6 +79,12 @@ Patch6068: backport-gutils-Fix-an-unlikely-minor-leak-in-g_build_user_data_ Patch6069: backport-openharmony-adapt.patch Patch6070: backport-openharmony-dummy.patch +patch6081: backport-gdatainputstream-Fix-length-return-value-on-UTF-8-validation-failure.patch +patch6082: backport-giochannel-ensure-line-terminator-remains-nul-terminated-if-needed.patch +patch6083: backport-gio-Fix-GFileEnumerator-leaks-in-gio-tools.patch +patch6084: backport-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connect-messages.patch +patch6085: backport-gutils-Fix-unlikely-minor-leaks-in-xdg-directory-functions.patch + BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter BUildRequires: glibc-devel libattr-devel libselinux-devel meson @@ -265,6 +271,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %endif %changelog +* Sun Dec 15 2024 wangdingbang - 2.72.2-15 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix memory leak, buffer overflow and some error + * Mon Feb 19 2024 hanhuihui - 2.72.2-14 - disable sysprof diff --git a/patch/backport-gdatainputstream-Fix-length-return-value-on-UTF-8-validation-failure.patch b/patch/backport-gdatainputstream-Fix-length-return-value-on-UTF-8-validation-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..aea82c0f43e26c5ccd563a7ef8af05f5422d8852 --- /dev/null +++ b/patch/backport-gdatainputstream-Fix-length-return-value-on-UTF-8-validation-failure.patch @@ -0,0 +1,140 @@ +From 066fefafa02c01256338c22d1138f8e74acb86b4 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sat, 12 Oct 2024 12:56:00 +0100 +Subject: [PATCH] tests: Use g_assert_*() rather than g_assert() in + GDataInputStream tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It won’t get compiled out with `G_DISABLE_ASSERT`. + + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/066fefafa02c01256338c22d1138f8e74acb86b4 + +Signed-off-by: Philip Withnall +--- + gio/tests/data-input-stream.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/gio/tests/data-input-stream.c b/gio/tests/data-input-stream.c +index 8a1e8fb288..6934817773 100644 +--- a/gio/tests/data-input-stream.c ++++ b/gio/tests/data-input-stream.c +@@ -80,9 +80,9 @@ test_read_lines (GDataStreamNewlineType newline_type) + lines[i] = "some_text"; + + base_stream = g_memory_input_stream_new (); +- g_assert (base_stream != NULL); ++ g_assert_nonnull (base_stream); + stream = G_INPUT_STREAM (g_data_input_stream_new (base_stream)); +- g_assert(stream != NULL); ++ g_assert_nonnull (stream); + + /* Byte order testing */ + g_data_input_stream_set_byte_order (G_DATA_INPUT_STREAM (stream), G_DATA_STREAM_BYTE_ORDER_BIG_ENDIAN); +@@ -210,7 +210,7 @@ test_read_lines_LF_invalid_utf8 (void) + g_assert_no_error (error); + else + { +- g_assert (error != NULL); ++ g_assert_error (error, G_CONVERT_ERROR, G_CONVERT_ERROR_ILLEGAL_SEQUENCE); + g_clear_error (&error); + g_free (line); + break; +@@ -354,7 +354,7 @@ test_read_upto (void) + line++; + + stop_char = g_data_input_stream_read_byte (G_DATA_INPUT_STREAM (stream), NULL, &error); +- g_assert (memchr (DATA_SEP, stop_char, DATA_SEP_LEN) != NULL); ++ g_assert_nonnull (memchr (DATA_SEP, stop_char, DATA_SEP_LEN)); + g_assert_no_error (error); + } + g_free (data); +-- +GitLab + +From 9f70c964a08d09ef82933126eeadb9a82fba92ef Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Sat, 12 Oct 2024 13:02:27 +0100 +Subject: [PATCH 2/2] gdatainputstream: Fix length return value on UTF-8 + validation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The method was correctly returning an error from +`g_data_input_stream_read_line_utf8()` if the line contained invalid +UTF-8, but it wasn鈥檛 correctly setting the returned line length to 0. +This could have caused problems if callers were basing subsequent logic +on the length and not the return value nullness or `GError`. + +Signed-off-by: Philip Withnall + +oss-fuzz#372819437 +--- + gio/gdatainputstream.c | 4 ++++ + gio/tests/data-input-stream.c | 18 ++++++++++++++++-- + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c +index ce61759510..ef728f006e 100644 +--- a/gio/gdatainputstream.c ++++ b/gio/gdatainputstream.c +@@ -840,7 +840,11 @@ g_data_input_stream_read_line_utf8 (GDataInputStream *stream, + g_set_error_literal (error, G_CONVERT_ERROR, + G_CONVERT_ERROR_ILLEGAL_SEQUENCE, + _("Invalid byte sequence in conversion input")); ++ ++ if (length != NULL) ++ *length = 0; + g_free (res); ++ + return NULL; + } + return res; +diff --git a/gio/tests/data-input-stream.c b/gio/tests/data-input-stream.c +index 6934817773..11c997bceb 100644 +--- a/gio/tests/data-input-stream.c ++++ b/gio/tests/data-input-stream.c +@@ -174,8 +174,17 @@ test_read_lines_LF_valid_utf8 (void) + gsize length = -1; + line = g_data_input_stream_read_line_utf8 (G_DATA_INPUT_STREAM (stream), &length, NULL, &error); + g_assert_no_error (error); ++ + if (line == NULL) +- break; ++ { ++ g_assert_cmpuint (length, ==, 0); ++ break; ++ } ++ else ++ { ++ g_assert_cmpuint (length, >, 0); ++ } ++ + n_lines++; + g_free (line); + } +@@ -207,11 +216,16 @@ test_read_lines_LF_invalid_utf8 (void) + gsize length = -1; + line = g_data_input_stream_read_line_utf8 (G_DATA_INPUT_STREAM (stream), &length, NULL, &error); + if (n_lines == 0) +- g_assert_no_error (error); ++ { ++ /* First line is valid UTF-8 */ ++ g_assert_no_error (error); ++ g_assert_cmpuint (length, ==, 3); ++ } + else + { + g_assert_error (error, G_CONVERT_ERROR, G_CONVERT_ERROR_ILLEGAL_SEQUENCE); + g_clear_error (&error); ++ g_assert_cmpuint (length, ==, 0); + g_free (line); + break; + } +-- +GitLab + diff --git a/patch/backport-gio-Fix-GFileEnumerator-leaks-in-gio-tools.patch b/patch/backport-gio-Fix-GFileEnumerator-leaks-in-gio-tools.patch new file mode 100644 index 0000000000000000000000000000000000000000..21ef422cbb12406c200598acf2219acc2c26ffe3 --- /dev/null +++ b/patch/backport-gio-Fix-GFileEnumerator-leaks-in-gio-tools.patch @@ -0,0 +1,56 @@ +From 5b2da7ecb3b509f1a4d72284fdba025db1261d70 Mon Sep 17 00:00:00 2001 +From: correctmost <136447-correctmost@users.noreply.gitlab.gnome.org> +Date: Sat, 2 Nov 2024 17:06:37 -0400 +Subject: [PATCH] gio: Fix GFileEnumerator leaks in gio tools + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/5b2da7ecb3b509f1a4d72284fdba025db1261d70 + +--- + gio/gio-tool-list.c | 2 ++ + gio/gio-tool-trash.c | 2 ++ + gio/gio-tool-tree.c | 2 +- + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/gio/gio-tool-list.c b/gio/gio-tool-list.c +index 0da86269d1..aafdb85af7 100644 +--- a/gio/gio-tool-list.c ++++ b/gio/gio-tool-list.c +@@ -157,6 +157,8 @@ list (GFile *file) + res = FALSE; + } + ++ g_object_unref (enumerator); ++ + return res; + } + +diff --git a/gio/gio-tool-trash.c b/gio/gio-tool-trash.c +index 6e6137f2ad..65a29f8490 100644 +--- a/gio/gio-tool-trash.c ++++ b/gio/gio-tool-trash.c +@@ -204,6 +204,8 @@ trash_list (GFile *file, + res = FALSE; + } + ++ g_object_unref (enumerator); ++ + return res; + } + +diff --git a/gio/gio-tool-tree.c b/gio/gio-tool-tree.c +index 28fad051f0..e26fb6a7a8 100644 +--- a/gio/gio-tool-tree.c ++++ b/gio/gio-tool-tree.c +@@ -106,7 +106,7 @@ do_tree (GFile *f, unsigned int level, guint64 pattern) + info_list = g_list_prepend (info_list, info); + } + } +- g_file_enumerator_close (enumerator, NULL, NULL); ++ g_object_unref (enumerator); + + info_list = g_list_sort (info_list, (GCompareFunc) sort_info_by_name); + +-- +GitLab + diff --git a/patch/backport-giochannel-ensure-line-terminator-remains-nul-terminated-if-needed.patch b/patch/backport-giochannel-ensure-line-terminator-remains-nul-terminated-if-needed.patch new file mode 100644 index 0000000000000000000000000000000000000000..1b1164b97fcf119d95813642237d0574970fc0c9 --- /dev/null +++ b/patch/backport-giochannel-ensure-line-terminator-remains-nul-terminated-if-needed.patch @@ -0,0 +1,111 @@ +From 7c6b11df2d622f4ef83a16ea875e18334c38302e Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Tue, 10 Sep 2024 16:50:38 -0500 +Subject: [PATCH] giochannel: ensure line terminator remains nul-terminated if + needed + +If the user passes -1 length to g_io_channel_set_line_term() along with +a nul-terminated string, then calls g_io_channel_get_line_term() and +decides to treat the result as nul-terminated rather than checking the +length parameter, then the application will have a problem, because it's +not nul-terminated. That's weird, since the input string was. Let's +ensure the result is consistent: if you pass a nul-terminated string, +the result is nul-terminated. If not, it's not. + +Also add a warning to g_io_channel_get_line_term(), since it's very +strange for a gchar * return value to be anything other than a +nul-terminated UTF-8 string. This is an API design bug, but we cannot +fix it. + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/7c6b11df2d622f4ef83a16ea875e18334c38302e + +--- + glib/giochannel.c | 28 +++++++++++++++++----------- + glib/tests/io-channel.c | 7 +++++++ + 2 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index b44fff35b1..e54aea2568 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -877,26 +877,31 @@ g_io_channel_set_line_term (GIOChannel *channel, + const gchar *line_term, + gint length) + { +- guint length_unsigned; +- + g_return_if_fail (channel != NULL); + g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */ + ++ g_free (channel->line_term); ++ + if (line_term == NULL) +- length_unsigned = 0; ++ { ++ channel->line_term = NULL; ++ channel->line_term_len = 0; ++ } + else if (length >= 0) +- length_unsigned = (guint) length; ++ { ++ /* We store the value nul-terminated even if the input is not */ ++ channel->line_term = g_malloc0 (length + 1); ++ memcpy (channel->line_term, line_term, length); ++ channel->line_term_len = (guint) length; ++ } + else + { +- /* FIXME: We’re constrained by line_term_len being a guint here */ ++ /* We’re constrained by line_term_len being a guint here */ + gsize length_size = strlen (line_term); + g_return_if_fail (length_size <= G_MAXUINT); +- length_unsigned = (guint) length_size; ++ channel->line_term = g_strdup (line_term); ++ channel->line_term_len = (guint) length_size; + } +- +- g_free (channel->line_term); +- channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; +- channel->line_term_len = length_unsigned; + } + + /** +@@ -906,7 +911,8 @@ g_io_channel_set_line_term (GIOChannel *channel, + * + * This returns the string that #GIOChannel uses to determine + * where in the file a line break occurs. A value of %NULL +- * indicates autodetection. ++ * indicates autodetection. Since 2.84, the return value is always ++ * nul-terminated. + * + * Returns: The line termination string. This value + * is owned by GLib and must not be freed. +diff --git a/glib/tests/io-channel.c b/glib/tests/io-channel.c +index c5dd01d04e..99879be1b1 100644 +--- a/glib/tests/io-channel.c ++++ b/glib/tests/io-channel.c +@@ -178,6 +178,8 @@ test_read_line_embedded_nuls (void) + GError *local_error = NULL; + gchar *line = NULL; + gsize line_length, terminator_pos; ++ const gchar *line_term; ++ gint line_term_length; + GIOStatus status; + + g_test_summary ("Test that reading a line containing embedded nuls works " +@@ -200,6 +202,11 @@ test_read_line_embedded_nuls (void) + * Use length -1 here to exercise glib#2323; the case where length > 0 + * is covered in glib/tests/protocol.c. */ + g_io_channel_set_line_term (channel, "\n", -1); ++ ++ line_term = g_io_channel_get_line_term (channel, &line_term_length); ++ g_assert_cmpstr (line_term, ==, "\n"); ++ g_assert_cmpint (line_term_length, ==, 1); ++ + g_io_channel_set_encoding (channel, NULL, &local_error); + g_assert_no_error (local_error); + +-- +GitLab + diff --git a/patch/backport-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connect-messages.patch b/patch/backport-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connect-messages.patch new file mode 100644 index 0000000000000000000000000000000000000000..ffec87bf478e91ca2fd75767e8d6ed6dfe217468 --- /dev/null +++ b/patch/backport-gsocks4aproxy-Fix-a-single-byte-buffer-overflow-in-connect-messages.patch @@ -0,0 +1,48 @@ +From 25833cefda24c60af913d6f2d532b5afd608b821 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 19 Sep 2024 18:35:53 +0100 +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect + messages + +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul +byte in the connect message, which is an addition in SOCKSv4a vs +SOCKSv4. + +This means that the buffer for building and transmitting the connect +message could be overflowed if the username and hostname are both +`SOCKS4_MAX_LEN` (255) bytes long. + +Proxy configurations are normally statically configured, so the username +is very unlikely to be near its maximum length, and hence this overflow +is unlikely to be triggered in practice. + +(Commit message by Philip Withnall, diagnosis and fix by Michael +Catanzaro.) + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/25833cefda24c60af913d6f2d532b5afd608b821 + +Fixes: #3461 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118eb7..b3146d08fd 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, +-- +GitLab + diff --git a/patch/backport-gutils-Fix-unlikely-minor-leaks-in-xdg-directory-functions.patch b/patch/backport-gutils-Fix-unlikely-minor-leaks-in-xdg-directory-functions.patch new file mode 100644 index 0000000000000000000000000000000000000000..272276a25365a981509467febd9f0906ca527b09 --- /dev/null +++ b/patch/backport-gutils-Fix-unlikely-minor-leaks-in-xdg-directory-functions.patch @@ -0,0 +1,47 @@ +From 1196ac7af62887d48e4c2aabf9f1509c306178a5 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 22 Aug 2024 16:14:45 -0500 +Subject: [PATCH] gutils: Fix unlikely minor leaks in xdg directory functions + +We leak if we have a non-null empty string. This was already fixed for +g_build_user_data_dir() in 1a979ab4947fc259af01ea65263aaa4d417553fb +so now fix the others as well. + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/1196ac7af62887d48e4c2aabf9f1509c306178a5 + +--- + glib/gutils.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/glib/gutils.c b/glib/gutils.c +index 057e2bcd73..8628a568da 100644 +--- a/glib/gutils.c ++++ b/glib/gutils.c +@@ -1940,6 +1940,7 @@ g_build_user_config_dir (void) + if (!config_dir || !config_dir[0]) + { + gchar *home_dir = g_build_home_dir (); ++ g_free (config_dir); + config_dir = g_build_filename (home_dir, ".config", NULL); + g_free (home_dir); + } +@@ -2003,6 +2004,7 @@ g_build_user_cache_dir (void) + if (!cache_dir || !cache_dir[0]) + { + gchar *home_dir = g_build_home_dir (); ++ g_free (cache_dir); + cache_dir = g_build_filename (home_dir, ".cache", NULL); + g_free (home_dir); + } +@@ -2065,6 +2067,7 @@ g_build_user_state_dir (void) + if (!state_dir || !state_dir[0]) + { + gchar *home_dir = g_build_home_dir (); ++ g_free (state_dir); + state_dir = g_build_filename (home_dir, ".local/state", NULL); + g_free (home_dir); + } +-- +GitLab +