[MEDIUM] Patch glib for CVE-2024-34397#15359
[MEDIUM] Patch glib for CVE-2024-34397#15359archana25-ms wants to merge 9 commits intomicrosoft:mainfrom
Conversation
archana25-ms
force-pushed
the
topic_glib-2.0
branch
from
c40fed8 to
5bff542
Compare
|
Buddy build is successful. |
|
CVE-2024-24397 was merged in PR-14223 and was later reverted back in PR-14745 since there was test failure in ModemManager package during full build because of this CVE fix. Hence in this PR the CVE patch is backported from https://gitlab.gnome.org/GNOME/glib/-/issues/3268#fixes Requesting for Full build so that other dependency packages test and build can also be verified. |
suresh-thelkar
left a comment
suresh-thelkar
left a comment
There was a problem hiding this comment.
Code changes look good to me. Since the patch is huge, I have also run the full build given below. Please make sure all the packages and ptests run successfully and pass.
https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1038532&view=results
archana25-ms
changed the title
|
Added another CVE-2025-1484 patch and buddy build link - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1038685&view=results |
Please make sure that you fix the issues with the full build first and make sure everything goes fine. Then only add this CVE. Probably you can add this CVE in a new PR. Already the patch is huge and adding another CVE patch in the same PR is not advisable according to me. |
archana25-ms
force-pushed
the
topic_glib-2.0
branch
from
739ecff to
cc8a3e3
Compare
archana25-ms
changed the title
|
Removed CVE-2025-1484 from this PR and created new PR - #15774 as requested |
suresh-thelkar
left a comment
suresh-thelkar
left a comment
There was a problem hiding this comment.
The recent code changes look good to me. I have also run the full build, here is is the link - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1077265&view=results
kgodara912
added
the
ready-for-stable-review
|
Latest Buddy build link: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1099481&view=results Result is successful Full Build link - https://polite-mud-0e83c8510.6.azurestaticapps.net/#/?buildNumber=2.0.20260421-sthelkar-1099526&environment=Development |
|
The changes are widespread and previously caused failure for some other package which was dependent on glib. As the CVE is not high or critical and changes are disruptive and can cause failure for users relying on old behavior. We will hold this CVE. |
4 participants
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Patch glib for CVE-2024-34397
CVE-2024-24397 was merged in PR-14223 and was later reverted back in PR-14745 since there was test failure in ModemManager package during full build because of the CVE fix.
Hence in this PR the CVE patch is backported from https://gitlab.gnome.org/GNOME/glib/-/issues/3268#fixes
and verified the test execution of ModemManager package with the fixed glib present in toolchain.
Change Log
Does this affect the toolchain?
YES
Associated issues
Links to CVEs
Test Methodology
Patch applies cleanly
Build is Successful
Verified ModemManager test with patched glib and its passed