Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package glib2 for openSUSE:Factory checked in at 2026-01-26 10:42:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glib2 (Old) and /work/SRC/openSUSE:Factory/.glib2.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glib2" Mon Jan 26 10:42:28 2026 rev:301 rq:1328598 version:2.86.3 Changes: -------- --- /work/SRC/openSUSE:Factory/glib2/glib2.changes 2025-12-10 15:30:40.942634174 +0100 +++ /work/SRC/openSUSE:Factory/.glib2.new.1928/glib2.changes 2026-01-26 10:42:52.029097180 +0100 @@ -1,0 +2,7 @@ +Wed Jan 21 16:28:18 UTC 2026 - Michael Gorse <[email protected]> + +- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow + in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988 + glgo#GNOME/glib#3851). + +------------------------------------------------------------------- @@ -8163 +8170 @@ -Wed Mar 21 12:38:24 CST 2007 - [email protected] +Wed Mar 21 12:38:24 UTC 2007 - [email protected] New: ---- glib2-CVE-2026-0988.patch ----------(New B)---------- New: - Add glib2-CVE-2026-0988.patch: fix a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glib2.spec ++++++ --- /var/tmp/diff_new_pack.Y19qfS/_old 2026-01-26 10:42:53.753169241 +0100 +++ /var/tmp/diff_new_pack.Y19qfS/_new 2026-01-26 10:42:53.757169409 +0100 @@ -1,7 +1,7 @@ # # spec file for package glib2 # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -65,6 +65,8 @@ Patch2: glib2-suppress-schema-deprecated-path-warning.patch # PATCH-FIX-OPENSUSE glib2-gdbus-codegen-version.patch [email protected] -- Remove version string from files generated by gdbus-codegen Patch4: glib2-gdbus-codegen-version.patch +# PATCH-FIX-UPSTREAM glib2-CVE-2026-0988.patch bsc#1256049 [email protected] -- fix a potential integer overflow in g_buffered_input_stream_peek. +Patch5: glib2-CVE-2026-0988.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: fdupes BuildRequires: gcc-c++ ++++++ glib2-CVE-2026-0988.patch ++++++ >From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001 From: Philip Withnall <[email protected]> Date: Thu, 18 Dec 2025 23:12:18 +0000 Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in peek() If the caller provides `offset` and `count` arguments which overflow, their sum will overflow and could lead to `memcpy()` reading out more memory than expected. Spotted by Codean Labs. Signed-off-by: Philip Withnall <[email protected]> Fixes: #3851 --- gio/gbufferedinputstream.c | 2 +- gio/tests/buffered-input-stream.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c index 9e6bacc62..56d656be0 100644 --- a/gio/gbufferedinputstream.c +++ b/gio/gbufferedinputstream.c @@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream, available = g_buffered_input_stream_get_available (stream); - if (offset > available) + if (offset > available || offset > G_MAXSIZE - count) return 0; end = MIN (offset + count, available); diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c index a1af4eeff..2b2a0d9aa 100644 --- a/gio/tests/buffered-input-stream.c +++ b/gio/tests/buffered-input-stream.c @@ -60,6 +60,16 @@ test_peek (void) g_assert_cmpint (npeek, ==, 0); g_free (buffer); + buffer = g_new0 (char, 64); + npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0); + g_assert_cmpint (npeek, ==, 0); + g_free (buffer); + + buffer = g_new0 (char, 64); + npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE); + g_assert_cmpint (npeek, ==, 0); + g_free (buffer); + g_object_unref (in); g_object_unref (base); } -- 2.52.0
