We have some news to share for the request index beta feature. We’ve added more options to sort your requests, counters to the individual filters and documentation for the search functionality. Checkout the blog post for more details.

Overview

File glib2-CVE-2025-14512.patch of Package glib2.42479

From 4f0399c0aaf3ffc86b5625424580294bc7460404 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 4 Dec 2025 16:37:19 +0000
Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
 byte strings

The number of invalid characters in the byte string (characters which
would have to be percent-encoded) was only stored in an `int`, which
gave the possibility of a long string largely full of invalid
characters overflowing this and allowing an attacker-controlled buffer
size to be allocated.

This could be triggered by an attacker controlled file attribute (of
type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
being read by user code.

Spotted by Codean Labs.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #3845
---
 gio/gfileattribute.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff -urp glib-2.62.6.orig/gio/gfileattribute.c glib-2.62.6/gio/gfileattribute.c
--- glib-2.62.6.orig/gio/gfileattribute.c	2020-03-18 08:16:11.000000000 -0500
+++ glib-2.62.6/gio/gfileattribute.c	2025-12-11 15:52:31.243083535 -0600
@@ -20,6 +20,7 @@
 
 #include "config.h"
 
+#include <stdint.h>
 #include <string.h>
 
 #include "gfileattribute.h"
@@ -271,11 +272,12 @@ valid_char (char c)
   return c >= 32 && c <= 126 && c != '\\';
 }
 
+/* Returns NULL on error */
 static char *
 escape_byte_string (const char *str)
 {
   size_t len;
-  int num_invalid, i;
+  size_t num_invalid, i;
   char *escaped_val, *p;
   unsigned char c;
   const char hex_digits[] = "0123456789abcdef";
@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
     return g_strdup (str);
   else
     {
-      escaped_val = g_malloc (len + num_invalid*3 + 1);
+      /* Check for overflow. We want to check the inequality:
+       * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+      if (num_invalid >= (SIZE_MAX - len) / 3)
+        return NULL;
+
+      escaped_val = g_malloc (len + num_invalid * 3 + 1);
 
       p = escaped_val;
       for (i = 0; i < len; i++)
openSUSE Build Service is sponsored by
Places