Patch glib for CVE-2026-1484

archana25-ms · archana25-ms · commit 739ecffd79a8 · 2026-01-29T00:10:10.000+05:30
diff --git a/SPECS/glib/CVE-2026-1484.patch b/SPECS/glib/CVE-2026-1484.patch
@@ -0,0 +1,67 @@
+From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001
+From: Marco Trevisan <mail@3v1n0.net>
+Date: Fri, 23 Jan 2026 18:48:30 +0100
+Subject: [PATCH 1/2] gbase64: Use gsize to prevent potential overflow
+[PATCH 2/2] gbase64: Ensure that the out value is within allocated
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Both g_base64_encode_step() and g_base64_encode_close() return gsize
+values, but these are summed to an int value.
+
+If the sum of these returned values is bigger than MAXINT, we overflow
+while doing the null byte write.
+
+Spotted by treeplus.
+Thanks to the Sovereign Tech Resilience programme from the Sovereign
+Tech Agency.
+
+ID: #YWH-PGM9867-168
+Closes: #3870
+
+
+(cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2)
+Upstream Patch reference: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4979.patch
+
+Co-authored-by: Marco Trevisan (Treviño) <mail@3v1n0.net>
+---
+ glib/gbase64.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/glib/gbase64.c b/glib/gbase64.c
+index f2d110e..19f8e5e 100644
+--- a/glib/gbase64.c
++++ b/glib/gbase64.c
+@@ -262,8 +262,10 @@ g_base64_encode (const guchar *data,
+                  gsize         len)
+ {
+   gchar *out;
+-  gint state = 0, outlen;
++  gint state = 0;
+   gint save = 0;
++  gsize outlen;
++  gsize allocsize;
+ 
+   g_return_val_if_fail (data != NULL || len == 0, NULL);
+ 
+@@ -271,10 +273,15 @@ g_base64_encode (const guchar *data,
+      +1 is needed for trailing \0, also check for unlikely integer overflow */
+   g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL);
+ 
+-  out = g_malloc ((len / 3 + 1) * 4 + 1);
++  allocsize = (len / 3 + 1) * 4 + 1;
++  out = g_malloc (allocsize);
+ 
+   outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
++  g_assert (outlen <= allocsize);
++
+   outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
++  g_assert (outlen <= allocsize);
++
+   out[outlen] = '\0';
+ 
+   return (gchar *) out;
+-- 
+2.45.4
+
diff --git a/SPECS/glib/glib.spec b/SPECS/glib/glib.spec
@@ -20,6 +20,7 @@ Patch6:         CVE-2025-13601.patch
 Patch7:         CVE-2025-14087.patch
 Patch8:         CVE-2025-14512.patch
 Patch9:         CVE-2024-34397.patch
+Patch10:        CVE-2026-1484.patch
 BuildRequires:  cmake
 BuildRequires:  gtk-doc
 BuildRequires:  libffi-devel
@@ -133,8 +134,8 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
-* Mon Dec 22 2025 Archana Shettigar <v-shettigara@microsoft.com> - 2.71.0-10
-- Patch CVE-2024-34397
+* Thu Jan 29 2026 Archana Shettigar <v-shettigara@microsoft.com> - 2.71.0-10
+- Patch CVE-2024-34397 and CVE-2026-1484
 
 * Mon Dec 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.71.0-9
 - Patch for CVE-2025-14512, CVE-2025-14087
