microsoft · kgodara912 · Dec 19, 2025 · Dec 15, 2025
@@ -0,0 +1,70 @@
+From 487e062de90850689f14ca3d55cbdb9088d41bde Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:02:56 +0000
+Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
+ (byte)strings
+
+The termination condition for parsing string and bytestring literals in
+GVariant text format input was subject to an integer overflow for input
+string (or bytestring) literals longer than `INT_MAX`.
+
+Fix that by counting as a `size_t` rather than as an `int`. The counter
+can never correctly be negative.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3834
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/glib/-/commit/3e72fe0fbb32c18a66486c4da8bc851f656af287.patch
+---
+ glib/gvariant-parser.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index bb5238b..af6527d 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -594,7 +594,7 @@ ast_resolve (AST     *ast,
+ {
+   GVariant *value;
+   gchar *pattern;
+-  gint i, j = 0;
++  size_t i, j = 0;
+
+   pattern = ast_get_pattern (ast, error);
+
+@@ -1555,9 +1555,9 @@ string_free (AST *ast)
+  * No leading/trailing space allowed. */
+ static gboolean
+ unicode_unescape (const gchar  *src,
+-                  gint         *src_ofs,
++                  size_t       *src_ofs,
+                   gchar        *dest,
+-                  gint         *dest_ofs,
++                  size_t       *dest_ofs,
+                   gsize         length,
+                   SourceRef    *ref,
+                   GError      **error)
+@@ -1618,7 +1618,7 @@ string_parse (TokenStream  *stream,
+   gsize length;
+   gchar quote;
+   gchar *str;
+-  gint i, j;
++  size_t i, j;
+
+   token_stream_start_ref (stream, &ref);
+   token = token_stream_get (stream);
+@@ -1748,7 +1748,7 @@ bytestring_parse (TokenStream  *stream,
+   gsize length;
+   gchar quote;
+   gchar *str;
+-  gint i, j;
++  size_t i, j;
+
+   token_stream_start_ref (stream, &ref);
+   token = token_stream_get (stream);
+-- 
+2.45.4
+
@@ -0,0 +1,71 @@
+From eaa4ef68c5ae930857e94f4c28c2fb3559b2660e Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 4 Dec 2025 16:37:19 +0000
+Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
+ byte strings
+
+The number of invalid characters in the byte string (characters which
+would have to be percent-encoded) was only stored in an `int`, which
+gave the possibility of a long string largely full of invalid
+characters overflowing this and allowing an attacker-controlled buffer
+size to be allocated.
+
+This could be triggered by an attacker controlled file attribute (of
+type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
+`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
+being read by user code.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3845
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/glib/-/commit/4f0399c0aaf3ffc86b5625424580294bc7460404.patch
+---
+ gio/gfileattribute.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
+index 8075d1d..b14e5fa 100644
+--- a/gio/gfileattribute.c
++++ b/gio/gfileattribute.c
+@@ -20,6 +20,7 @@
+
+ #include "config.h"
+
++#include <stdint.h>
+ #include <string.h>
+
+ #include "gfileattribute.h"
+@@ -271,11 +272,12 @@ valid_char (char c)
+   return c >= 32 && c <= 126 && c != '\\';
+ }
+
++/* Returns NULL on error */
+ static char *
+ escape_byte_string (const char *str)
+ {
+   size_t i, len;
+-  int num_invalid;
++  size_t num_invalid;
+   char *escaped_val, *p;
+   unsigned char c;
+   const char hex_digits[] = "0123456789abcdef";
+@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
+     return g_strdup (str);
+   else
+     {
+-      escaped_val = g_malloc (len + num_invalid*3 + 1);
++      /* Check for overflow. We want to check the inequality:
++       * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
++      if (num_invalid >= (SIZE_MAX - len) / 3)
++        return NULL;
++
++      escaped_val = g_malloc (len + num_invalid * 3 + 1);
+
+       p = escaped_val;
+       for (i = 0; i < len; i++)
+-- 
+2.45.4
+
@@ -2,7 +2,7 @@
 Summary:        Low-level libraries useful for providing data structure handling for C.
 Name:           glib
 Version:        2.71.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,6 +17,8 @@ Patch3:         CVE-2025-3360.patch
 Patch4:         CVE-2025-4373.patch
 Patch5:         CVE-2025-7039.patch
 Patch6:         CVE-2025-13601.patch
+Patch7:         CVE-2025-14087.patch
+Patch8:         CVE-2025-14512.patch
 BuildRequires:  cmake
 BuildRequires:  gtk-doc
 BuildRequires:  libffi-devel
@@ -130,6 +132,9 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
+* Mon Dec 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.71.0-9
+- Patch for CVE-2025-14512, CVE-2025-14087
+
 * Sat Nov 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.71.0-8
 - Patch for CVE-2025-13601
 

@@ -199,7 +199,7 @@ libxml2-devel-2.10.4-9.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
-glib-2.71.0-8.cm2.aarch64.rpm
+glib-2.71.0-9.cm2.aarch64.rpm
 libltdl-2.4.6-8.cm2.aarch64.rpm
 libltdl-devel-2.4.6-8.cm2.aarch64.rpm
 pcre-8.45-2.cm2.aarch64.rpm

@@ -199,7 +199,7 @@ libxml2-devel-2.10.4-9.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
-glib-2.71.0-8.cm2.x86_64.rpm
+glib-2.71.0-9.cm2.x86_64.rpm
 libltdl-2.4.6-8.cm2.x86_64.rpm
 libltdl-devel-2.4.6-8.cm2.x86_64.rpm
 pcre-8.45-2.cm2.x86_64.rpm

@@ -101,11 +101,11 @@ gdbm-lang-1.21-1.cm2.aarch64.rpm
 gettext-0.21-3.cm2.aarch64.rpm
 gettext-debuginfo-0.21-3.cm2.aarch64.rpm
 gfortran-11.2.0-9.cm2.aarch64.rpm
-glib-2.71.0-8.cm2.aarch64.rpm
-glib-debuginfo-2.71.0-8.cm2.aarch64.rpm
-glib-devel-2.71.0-8.cm2.aarch64.rpm
-glib-doc-2.71.0-8.cm2.noarch.rpm
-glib-schemas-2.71.0-8.cm2.aarch64.rpm
+glib-2.71.0-9.cm2.aarch64.rpm
+glib-debuginfo-2.71.0-9.cm2.aarch64.rpm
+glib-devel-2.71.0-9.cm2.aarch64.rpm
+glib-doc-2.71.0-9.cm2.noarch.rpm
+glib-schemas-2.71.0-9.cm2.aarch64.rpm
 glibc-2.35-7.cm2.aarch64.rpm
 glibc-debuginfo-2.35-7.cm2.aarch64.rpm
 glibc-devel-2.35-7.cm2.aarch64.rpm

@@ -106,11 +106,11 @@ gdbm-lang-1.21-1.cm2.x86_64.rpm
 gettext-0.21-3.cm2.x86_64.rpm
 gettext-debuginfo-0.21-3.cm2.x86_64.rpm
 gfortran-11.2.0-9.cm2.x86_64.rpm
-glib-2.71.0-8.cm2.x86_64.rpm
-glib-debuginfo-2.71.0-8.cm2.x86_64.rpm
-glib-devel-2.71.0-8.cm2.x86_64.rpm
-glib-doc-2.71.0-8.cm2.noarch.rpm
-glib-schemas-2.71.0-8.cm2.x86_64.rpm
+glib-2.71.0-9.cm2.x86_64.rpm
+glib-debuginfo-2.71.0-9.cm2.x86_64.rpm
+glib-devel-2.71.0-9.cm2.x86_64.rpm
+glib-doc-2.71.0-9.cm2.noarch.rpm
+glib-schemas-2.71.0-9.cm2.x86_64.rpm
 glibc-2.35-7.cm2.x86_64.rpm
 glibc-debuginfo-2.35-7.cm2.x86_64.rpm
 glibc-devel-2.35-7.cm2.x86_64.rpm