diff --git a/CVE-2025-60018.patch b/CVE-2025-60018.patch deleted file mode 100644 index b746dc344239f36c8d554d5e4f9a0ee352a94020..0000000000000000000000000000000000000000 --- a/CVE-2025-60018.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 4dd540505d40babe488404f3174ec39f49a84485 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Mon, 4 Aug 2025 15:10:21 -0500 -Subject: [PATCH] openssl: properly check return value when writing to BIO - objects - -In particular, we will read out of bounds, and then write the invalid -memory, if BIO_write() fails when getting the PROP_CERTIFICATE_PEM -property. Here we attempt to check the return value, but the check is -not correct. - -This also fixes a leak of the BIO in the same place. - -Also add error checking to PROP_SUBJECT_NAME and PROP_ISSUER_NAME, for -good measure. - -Fixes #226 ---- - tls/openssl/gtlscertificate-openssl.c | 25 +++++++++++++++---------- - 1 file changed, 15 insertions(+), 10 deletions(-) - -diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c -index 648f3e83..b5365596 100644 ---- a/tls/openssl/gtlscertificate-openssl.c -+++ b/tls/openssl/gtlscertificate-openssl.c -@@ -362,15 +362,12 @@ g_tls_certificate_openssl_get_property (GObject *object, - case PROP_CERTIFICATE_PEM: - bio = BIO_new (BIO_s_mem ()); - -- if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1)) -- certificate_pem = NULL; -- else -+ if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1) - { - BIO_get_mem_data (bio, &certificate_pem); - g_value_set_string (value, certificate_pem); -- -- BIO_free_all (bio); - } -+ BIO_free_all (bio); - break; - - case PROP_PRIVATE_KEY: -@@ -411,8 +408,12 @@ g_tls_certificate_openssl_get_property (GObject *object, - case PROP_SUBJECT_NAME: - bio = BIO_new (BIO_s_mem ()); - name = X509_get_subject_name (openssl->cert); -- X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS); -- BIO_write (bio, "\0", 1); -+ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 || -+ BIO_write (bio, "\0", 1) != 1) -+ { -+ BIO_free_all (bio); -+ break; -+ } - BIO_get_mem_data (bio, (char **)&name_string); - g_value_set_string (value, name_string); - BIO_free_all (bio); -@@ -421,9 +422,13 @@ g_tls_certificate_openssl_get_property (GObject *object, - case PROP_ISSUER_NAME: - bio = BIO_new (BIO_s_mem ()); - name = X509_get_issuer_name (openssl->cert); -- X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS); -- BIO_write (bio, "\0", 1); -- BIO_get_mem_data (bio, &name_string); -+ if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 || -+ BIO_write (bio, "\0", 1) != 1) -+ { -+ BIO_free_all (bio); -+ break; -+ } -+ BIO_get_mem_data (bio, (char **)&name_string); - g_value_set_string (value, name_string); - BIO_free_all (bio); - break; --- -GitLab - diff --git a/CVE-2025-60019.patch b/CVE-2025-60019.patch deleted file mode 100644 index be77f16f0415e5f86695ff505e9ef9d8f922e806..0000000000000000000000000000000000000000 --- a/CVE-2025-60019.patch +++ /dev/null @@ -1,181 +0,0 @@ -From b08a833162b0c031175c1a34bf84827cab890c8b Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Thu, 21 Aug 2025 16:58:54 -0500 -Subject: [PATCH 1/2] openssl: check return value of g_tls_bio_alloc() - -This function may fail, in which case the parameter remains -uninitialized. We'd better not dereference it in that case. ---- - tls/openssl/gtlsbio.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/tls/openssl/gtlsbio.c b/tls/openssl/gtlsbio.c -index 0f603fe2..1e54943e 100644 ---- a/tls/openssl/gtlsbio.c -+++ b/tls/openssl/gtlsbio.c -@@ -370,7 +370,8 @@ g_tls_bio_new_from_iostream (GIOStream *io_stream) - GTlsBio *gbio; - - ret = g_tls_bio_alloc (&gbio); -- gbio->io_stream = g_object_ref (io_stream); -+ if (ret) -+ gbio->io_stream = g_object_ref (io_stream); - - return ret; - } -@@ -382,7 +383,8 @@ g_tls_bio_new_from_datagram_based (GDatagramBased *socket) - GTlsBio *gbio; - - ret = g_tls_bio_alloc (&gbio); -- gbio->socket = g_object_ref (socket); -+ if (ret) -+ gbio->socket = g_object_ref (socket); - - return ret; - } --- -GitLab - - -From 70df675dd4f5e4a593b2f95406c1aac031aa8bc7 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Thu, 21 Aug 2025 17:21:01 -0500 -Subject: [PATCH 2/2] openssl: check return values of BIO_new() - -We probably need to check even more return values of even more OpenSSL -functions, but these ones allocate memory and that's particularly -important to get right. ---- - tls/openssl/gtlscertificate-openssl.c | 42 ++++++++++++++++++++------- - 1 file changed, 32 insertions(+), 10 deletions(-) - -diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c -index b5365596..4fa52865 100644 ---- a/tls/openssl/gtlscertificate-openssl.c -+++ b/tls/openssl/gtlscertificate-openssl.c -@@ -166,6 +166,9 @@ export_privkey_to_der (GTlsCertificateOpenssl *openssl, - goto err; - - bio = BIO_new (BIO_s_mem ()); -+ if (!bio) -+ goto err; -+ - if (i2d_PKCS8_PRIV_KEY_INFO_bio (bio, pkcs8) == 0) - goto err; - -@@ -199,6 +202,9 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl) - return NULL; - - bio = BIO_new (BIO_s_mem ()); -+ if (!bio) -+ goto out; -+ - ret = PEM_write_bio_PKCS8PrivateKey (bio, openssl->key, NULL, NULL, 0, NULL, NULL); - if (ret == 0) - goto out; -@@ -211,7 +217,7 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl) - result = g_strdup (data); - - out: -- BIO_free_all (bio); -+ g_clear_pointer (&bio, BIO_free_all); - return result; - } - -@@ -232,6 +238,9 @@ maybe_import_pkcs12 (GTlsCertificateOpenssl *openssl) - return; - - bio = BIO_new (BIO_s_mem ()); -+ if (!bio) -+ goto import_failed; -+ - status = BIO_write (bio, openssl->pkcs12_data->data, openssl->pkcs12_data->len); - if (status <= 0) - goto import_failed; -@@ -323,7 +332,7 @@ g_tls_certificate_openssl_get_property (GObject *object, - guint8 *data; - BIO *bio; - GByteArray *byte_array; -- char *certificate_pem; -+ const char *certificate_pem; - long size; - - const ASN1_TIME *time_asn1; -@@ -362,12 +371,12 @@ g_tls_certificate_openssl_get_property (GObject *object, - case PROP_CERTIFICATE_PEM: - bio = BIO_new (BIO_s_mem ()); - -- if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1) -+ if (bio && PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1) - { - BIO_get_mem_data (bio, &certificate_pem); - g_value_set_string (value, certificate_pem); - } -- BIO_free_all (bio); -+ g_clear_pointer (&bio, BIO_free_all); - break; - - case PROP_PRIVATE_KEY: -@@ -407,6 +416,8 @@ g_tls_certificate_openssl_get_property (GObject *object, - - case PROP_SUBJECT_NAME: - bio = BIO_new (BIO_s_mem ()); -+ if (!bio) -+ break; - name = X509_get_subject_name (openssl->cert); - if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 || - BIO_write (bio, "\0", 1) != 1) -@@ -421,6 +432,8 @@ g_tls_certificate_openssl_get_property (GObject *object, - - case PROP_ISSUER_NAME: - bio = BIO_new (BIO_s_mem ()); -+ if (!bio) -+ break; - name = X509_get_issuer_name (openssl->cert); - if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 || - BIO_write (bio, "\0", 1) != 1) -@@ -533,8 +546,11 @@ g_tls_certificate_openssl_set_property (GObject *object, - break; - CRITICAL_IF_CERTIFICATE_INITIALIZED ("certificate-pem"); - bio = BIO_new_mem_buf ((gpointer)string, -1); -- openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL); -- BIO_free (bio); -+ if (bio) -+ { -+ openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL); -+ BIO_free (bio); -+ } - if (openssl->cert) - openssl->have_cert = TRUE; - else if (!openssl->construct_error) -@@ -554,8 +570,11 @@ g_tls_certificate_openssl_set_property (GObject *object, - CRITICAL_IF_KEY_INITIALIZED ("private-key"); - - bio = BIO_new_mem_buf (bytes->data, bytes->len); -- openssl->key = d2i_PrivateKey_bio (bio, NULL); -- BIO_free (bio); -+ if (bio) -+ { -+ openssl->key = d2i_PrivateKey_bio (bio, NULL); -+ BIO_free (bio); -+ } - if (openssl->key) - openssl->have_key = TRUE; - else if (!openssl->construct_error) -@@ -575,8 +594,11 @@ g_tls_certificate_openssl_set_property (GObject *object, - CRITICAL_IF_KEY_INITIALIZED ("private-key-pem"); - - bio = BIO_new_mem_buf ((gpointer)string, -1); -- openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL); -- BIO_free (bio); -+ if (bio) -+ { -+ openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL); -+ BIO_free (bio); -+ } - if (openssl->key) - openssl->have_key = TRUE; - else if (!openssl->construct_error) --- -GitLab - diff --git a/glib-networking.spec b/glib-networking.spec index b43eaf4ad535ffca0c3f969f5527877587564995..dd0408ffb34f9040762fa9f58808e4eacf1d4bf1 100644 --- a/glib-networking.spec +++ b/glib-networking.spec @@ -1,12 +1,10 @@ Name: glib-networking Version: 2.78.0 -Release: 2 +Release: 1 Summary: Network-related modules for glib License: LGPLv2+ URL: https://gitlab.gnome.org/GNOME/glib-networking Source0: https://download.gnome.org/sources/glib-networking/2.78/%{name}-%{version}.tar.xz -Patch6001: CVE-2025-60018.patch -Patch6002: CVE-2025-60019.patch BuildRequires: meson gcc ca-certificates gettext systemd BuildRequires: pkgconfig(glib-2.0) >= 2.73.3 pkgconfig(gnutls) >= 3.7.4 @@ -59,9 +57,6 @@ verify the Usability of the glib-networking package. %{_datadir}/installed-tests %changelog -* Fri Sep 26 2025 Funda Wang - 2.78.0-2 -- fix CVE-2025-60018, CVE-2025-60019 - * Mon Feb 5 2024 yanglu - 2.78.0-1 - update glib-networking version to 2.78.0: - disable PKCS#11 tests when GNuTLS is built without PKCS#11 support