diff --git a/SOURCES/0001-gbytearray-Do-not-accept-too-large-byte-arrays.patch b/SOURCES/0001-gbytearray-Do-not-accept-too-large-byte-arrays.patch new file mode 100644 index 0000000..15aa571 --- /dev/null +++ b/SOURCES/0001-gbytearray-Do-not-accept-too-large-byte-arrays.patch @@ -0,0 +1,129 @@ +From 89b522ed31837cb2ac107a8961fbb0f2c7fc7ccb Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 10 Feb 2021 23:51:07 +0100 +Subject: [PATCH] gbytearray: Do not accept too large byte arrays + +GByteArray uses guint for storing the length of the byte array, but it +also has a constructor (g_byte_array_new_take) that takes length as a +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits +for guint). It is possible to call the function with a value greater +than G_MAXUINT, which will result in silent length truncation. This +may happen as a result of unreffing GBytes into GByteArray, so rather +be loud about it. + +(Test case tweaked by Philip Withnall.) +--- + glib/garray.c | 6 ++++++ + glib/gbytes.c | 4 ++++ + glib/tests/bytes.c | 37 +++++++++++++++++++++++++++++++++++-- + 3 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/glib/garray.c b/glib/garray.c +index aa3c04707..271d85ad8 100644 +--- a/glib/garray.c ++++ b/glib/garray.c +@@ -1666,6 +1666,10 @@ g_byte_array_new (void) + * Create byte array containing the data. The data will be owned by the array + * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). + * ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray ++ * stores the length of its data in #guint, which may be shorter than ++ * #gsize. ++ * + * Since: 2.32 + * + * Returns: (transfer full): a new #GByteArray +@@ -1677,6 +1681,8 @@ g_byte_array_new_take (guint8 *data, + GByteArray *array; + GRealArray *real; + ++ g_return_val_if_fail (len <= G_MAXUINT, NULL); ++ + array = g_byte_array_new (); + real = (GRealArray *)array; + g_assert (real->data == NULL); +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 5141170d7..635b79535 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -512,6 +512,10 @@ g_bytes_unref_to_data (GBytes *bytes, + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all + * other cases the data is copied. + * ++ * Do not use it if @bytes contains more than %G_MAXUINT ++ * bytes. #GByteArray stores the length of its data in #guint, which ++ * may be shorter than #gsize, that @bytes is using. ++ * + * Returns: (transfer full): a new mutable #GByteArray containing the same byte data + * + * Since: 2.32 +diff --git a/glib/tests/bytes.c b/glib/tests/bytes.c +index 5ea5c2b35..42281307b 100644 +--- a/glib/tests/bytes.c ++++ b/glib/tests/bytes.c +@@ -10,12 +10,12 @@ + */ + + #undef G_DISABLE_ASSERT +-#undef G_LOG_DOMAIN + + #include + #include + #include + #include "glib.h" ++#include "glib/gstrfuncsprivate.h" + + /* Keep in sync with glib/gbytes.c */ + struct _GBytes +@@ -333,6 +333,38 @@ test_to_array_transferred (void) + g_byte_array_unref (array); + } + ++static void ++test_to_array_transferred_oversize (void) ++{ ++ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to " ++ "G_MAXUINT in length; test that longer ones are rejected"); ++ ++ if (sizeof (guint) >= sizeof (gsize)) ++ { ++ g_test_skip ("Skipping test as guint is not smaller than gsize"); ++ } ++ else if (g_test_undefined ()) ++ { ++ GByteArray *array = NULL; ++ GBytes *bytes = NULL; ++ gpointer data = g_memdup2 (NYAN, N_NYAN); ++ gsize len = ((gsize) G_MAXUINT) + 1; ++ ++ bytes = g_bytes_new_take (data, len); ++ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL, ++ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed"); ++ array = g_bytes_unref_to_array (g_steal_pointer (&bytes)); ++ g_test_assert_expected_messages (); ++ g_assert_null (array); ++ ++ g_free (data); ++ } ++ else ++ { ++ g_test_skip ("Skipping test as testing undefined behaviour is disabled"); ++ } ++} ++ + static void + test_to_array_two_refs (void) + { +@@ -407,7 +439,8 @@ main (int argc, char *argv[]) + g_test_add_func ("/bytes/to-data/transfered", test_to_data_transferred); + g_test_add_func ("/bytes/to-data/two-refs", test_to_data_two_refs); + g_test_add_func ("/bytes/to-data/non-malloc", test_to_data_non_malloc); +- g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred); ++ g_test_add_func ("/bytes/to-array/transferred", test_to_array_transferred); ++ g_test_add_func ("/bytes/to-array/transferred-oversize", test_to_array_transferred_oversize); + g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs); + g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc); + g_test_add_func ("/bytes/null", test_null); +-- +2.31.1 + diff --git a/SOURCES/0001-glocalfileoutputstream-Factor-out-a-flag-check.patch b/SOURCES/0001-glocalfileoutputstream-Factor-out-a-flag-check.patch new file mode 100644 index 0000000..f73d7a4 --- /dev/null +++ b/SOURCES/0001-glocalfileoutputstream-Factor-out-a-flag-check.patch @@ -0,0 +1,56 @@ +From 8fef6abe1131da0c8a7211c740a12ebe11cbcc51 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Mar 2021 16:05:55 +0000 +Subject: [PATCH 1/3] glocalfileoutputstream: Factor out a flag check + +This clarifies the code a little. It introduces no functional changes. + +Signed-off-by: Philip Withnall +--- + gio/glocalfileoutputstream.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 57d2d5dfe..6a70b2a04 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -751,6 +751,7 @@ handle_overwrite_open (const char *filename, + int res; + int mode; + int errsv; ++ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION); + + mode = mode_from_flags_or_info (flags, reference_info); + +@@ -857,8 +858,8 @@ handle_overwrite_open (const char *filename, + * The second strategy consist simply in copying the old file + * to a backup file and rewrite the contents of the file. + */ +- +- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) || ++ ++ if (replace_destination_set || + (!(original_stat.st_nlink > 1) && !is_symlink)) + { + char *dirname, *tmp_filename; +@@ -877,7 +878,7 @@ handle_overwrite_open (const char *filename, + + /* try to keep permissions (unless replacing) */ + +- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) && ++ if (!replace_destination_set && + ( + #ifdef HAVE_FCHOWN + fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 || +@@ -1016,7 +1017,7 @@ handle_overwrite_open (const char *filename, + } + } + +- if (flags & G_FILE_CREATE_REPLACE_DESTINATION) ++ if (replace_destination_set) + { + g_close (fd, NULL); + +-- +2.31.1 + diff --git a/SOURCES/0001-gstrfuncs-Add-internal-g_memdup2-function.patch b/SOURCES/0001-gstrfuncs-Add-internal-g_memdup2-function.patch new file mode 100644 index 0000000..3a6ff17 --- /dev/null +++ b/SOURCES/0001-gstrfuncs-Add-internal-g_memdup2-function.patch @@ -0,0 +1,174 @@ +From e23bf51c6a898f5c395ffb388a0287575a3017cb Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:30:52 +0000 +Subject: [PATCH 01/12] gstrfuncs: Add internal g_memdup2() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This will replace the existing `g_memdup()` function for use within +GLib. It has an unavoidable security flaw of taking its `byte_size` +argument as a `guint` rather than as a `gsize`. Most callers will +expect it to be a `gsize`, and may pass in large values which could +silently be truncated, resulting in an undersize allocation compared +to what the caller expects. + +This could lead to a classic buffer overflow vulnerability for many +callers of `g_memdup()`. + +`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`. + +Spotted by Kevin Backhouse of GHSL. + +In GLib 2.68, `g_memdup2()` will be a new public API. In this version +for backport to older stable releases, it’s a new `static inline` API +in a private header, so that use of `g_memdup()` within GLib can be +fixed without adding a new API in a stable release series. + +Signed-off-by: Philip Withnall +Helps: GHSL-2021-045 +Helps: #2319 +--- + docs/reference/glib/meson.build | 1 + + glib/gstrfuncsprivate.h | 55 +++++++++++++++++++++++++++++++++ + glib/meson.build | 1 + + glib/tests/strfuncs.c | 23 ++++++++++++++ + 4 files changed, 80 insertions(+) + create mode 100644 glib/gstrfuncsprivate.h + +diff --git a/docs/reference/glib/meson.build b/docs/reference/glib/meson.build +index f0f915e96..1a3680941 100644 +--- a/docs/reference/glib/meson.build ++++ b/docs/reference/glib/meson.build +@@ -20,6 +20,7 @@ if get_option('gtk_doc') + 'gprintfint.h', + 'gmirroringtable.h', + 'gscripttable.h', ++ 'gstrfuncsprivate.h', + 'glib-mirroring-tab', + 'gnulib', + 'pcre', +diff --git a/glib/gstrfuncsprivate.h b/glib/gstrfuncsprivate.h +new file mode 100644 +index 000000000..85c88328a +--- /dev/null ++++ b/glib/gstrfuncsprivate.h +@@ -0,0 +1,55 @@ ++/* GLIB - Library of useful routines for C programming ++ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, see . ++ */ ++ ++#include ++#include ++ ++/* ++ * g_memdup2: ++ * @mem: (nullable): the memory to copy. ++ * @byte_size: the number of bytes to copy. ++ * ++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it ++ * from @mem. If @mem is %NULL it returns %NULL. ++ * ++ * This replaces g_memdup(), which was prone to integer overflows when ++ * converting the argument from a #gsize to a #guint. ++ * ++ * This static inline version is a backport of the new public API from ++ * GLib 2.68, kept internal to GLib for backport to older stable releases. ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. ++ * ++ * Returns: (nullable): a pointer to the newly-allocated copy of the memory, ++ * or %NULL if @mem is %NULL. ++ * Since: 2.68 ++ */ ++static inline gpointer ++g_memdup2 (gconstpointer mem, ++ gsize byte_size) ++{ ++ gpointer new_mem; ++ ++ if (mem && byte_size != 0) ++ { ++ new_mem = g_malloc (byte_size); ++ memcpy (new_mem, mem, byte_size); ++ } ++ else ++ new_mem = NULL; ++ ++ return new_mem; ++} +diff --git a/glib/meson.build b/glib/meson.build +index a2f9da81c..481fd06ff 100644 +--- a/glib/meson.build ++++ b/glib/meson.build +@@ -167,6 +167,7 @@ glib_sources = files( + 'gslist.c', + 'gstdio.c', + 'gstrfuncs.c', ++ 'gstrfuncsprivate.h', + 'gstring.c', + 'gstringchunk.c', + 'gtestutils.c', +diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c +index 7e031bdb1..2aa252946 100644 +--- a/glib/tests/strfuncs.c ++++ b/glib/tests/strfuncs.c +@@ -32,6 +32,8 @@ + #include + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + #if defined (_MSC_VER) && (_MSC_VER <= 1800) + #define isnan(x) _isnan(x) + +@@ -199,6 +201,26 @@ test_is_to_digit (void) + #undef TEST_DIGIT + } + ++/* Testing g_memdup2() function with various positive and negative cases */ ++static void ++test_memdup2 (void) ++{ ++ gchar *str_dup = NULL; ++ const gchar *str = "The quick brown fox jumps over the lazy dog"; ++ ++ /* Testing negative cases */ ++ g_assert_null (g_memdup2 (NULL, 1024)); ++ g_assert_null (g_memdup2 (str, 0)); ++ g_assert_null (g_memdup2 (NULL, 0)); ++ ++ /* Testing normal usage cases */ ++ str_dup = g_memdup2 (str, strlen (str) + 1); ++ g_assert_nonnull (str_dup); ++ g_assert_cmpstr (str, ==, str_dup); ++ ++ g_free (str_dup); ++} ++ + static void + test_strdup (void) + { +@@ -1726,6 +1748,7 @@ main (int argc, + g_test_init (&argc, &argv, NULL); + + g_test_add_func ("/strfuncs/test-is-to-digit", test_is_to_digit); ++ g_test_add_func ("/strfuncs/memdup2", test_memdup2); + g_test_add_func ("/strfuncs/strdup", test_strdup); + g_test_add_func ("/strfuncs/strndup", test_strndup); + g_test_add_func ("/strfuncs/strdup-printf", test_strdup_printf); +-- +2.31.1 + diff --git a/SOURCES/0002-gio-Use-g_memdup2-instead-of-g_memdup-in-obvious-pla.patch b/SOURCES/0002-gio-Use-g_memdup2-instead-of-g_memdup-in-obvious-pla.patch new file mode 100644 index 0000000..2d14f95 --- /dev/null +++ b/SOURCES/0002-gio-Use-g_memdup2-instead-of-g_memdup-in-obvious-pla.patch @@ -0,0 +1,262 @@ +From d27057acbb26f5b3400677e22a7801bb60a9a134 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:37:56 +0000 +Subject: [PATCH 02/12] gio: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()`), so that they use +`g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gdbusconnection.c | 5 +++-- + gio/gdbusinterfaceskeleton.c | 3 ++- + gio/gfile.c | 7 ++++--- + gio/gsettingsschema.c | 5 +++-- + gio/gwin32registrykey.c | 8 +++++--- + gio/tests/async-close-output-stream.c | 6 ++++-- + gio/tests/gdbus-export.c | 5 +++-- + gio/win32/gwinhttpfile.c | 9 +++++---- + 8 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index 6f7e5fefc..117c8df35 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -119,6 +119,7 @@ + #include "gasyncinitable.h" + #include "giostream.h" + #include "gasyncresult.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + + #ifdef G_OS_UNIX +@@ -3970,7 +3971,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusInterfaceVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +@@ -3987,7 +3988,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusSubtreeVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index 96bd520aa..672604c49 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -27,6 +27,7 @@ + #include "gdbusprivate.h" + #include "gdbusmethodinvocation.h" + #include "gdbusconnection.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + #include "gioerror.h" + +@@ -697,7 +698,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_, + * properly before building the hooked_vtable, so we create it + * once at the last minute. + */ +- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); ++ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); + interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; + } + +diff --git a/gio/gfile.c b/gio/gfile.c +index ff313ebf8..29ebaaa62 100644 +--- a/gio/gfile.c ++++ b/gio/gfile.c +@@ -60,6 +60,7 @@ + #include "gasyncresult.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + + /** +@@ -7734,7 +7735,7 @@ measure_disk_usage_progress (gboolean reporting, + g_main_context_invoke_full (g_task_get_context (task), + g_task_get_priority (task), + measure_disk_usage_invoke_progress, +- g_memdup (&progress, sizeof progress), ++ g_memdup2 (&progress, sizeof progress), + g_free); + } + +@@ -7752,7 +7753,7 @@ measure_disk_usage_thread (GTask *task, + data->progress_callback ? measure_disk_usage_progress : NULL, task, + &result.disk_usage, &result.num_dirs, &result.num_files, + &error)) +- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); ++ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); + else + g_task_return_error (task, error); + } +@@ -7776,7 +7777,7 @@ g_file_real_measure_disk_usage_async (GFile *file, + + task = g_task_new (file, cancellable, callback, user_data); + g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); +- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); ++ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); + g_task_set_priority (task, io_priority); + + g_task_run_in_thread (task, measure_disk_usage_thread); +diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c +index 17b7e3b01..499944395 100644 +--- a/gio/gsettingsschema.c ++++ b/gio/gsettingsschema.c +@@ -20,6 +20,7 @@ + + #include "gsettingsschema-internal.h" + #include "gsettings.h" ++#include "gstrfuncsprivate.h" + + #include "gvdb/gvdb-reader.h" + #include "strinfo.c" +@@ -1054,9 +1055,9 @@ g_settings_schema_list_children (GSettingsSchema *schema) + + if (g_str_has_suffix (key, "/")) + { +- gint length = strlen (key); ++ gsize length = strlen (key); + +- strv[j] = g_memdup (key, length); ++ strv[j] = g_memdup2 (key, length); + strv[j][length - 1] = '\0'; + j++; + } +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c +index c19fede4e..619fd48af 100644 +--- a/gio/gwin32registrykey.c ++++ b/gio/gwin32registrykey.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + #ifndef _WDMDDK_ + typedef enum _KEY_INFORMATION_CLASS { + KeyBasicInformation, +@@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_name_size = iter->value_name_size; + + if (iter->value_data != NULL) +- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); ++ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); + + new_iter->value_data_size = iter->value_data_size; + +@@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; + + if (iter->value_data_expanded_u8 != NULL) +- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, +- iter->value_data_expanded_charsize); ++ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, ++ iter->value_data_expanded_charsize); + + new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; + +diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c +index 5f6620275..d3f97a119 100644 +--- a/gio/tests/async-close-output-stream.c ++++ b/gio/tests/async-close-output-stream.c +@@ -24,6 +24,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + #define DATA_TO_WRITE "Hello world\n" + + typedef struct +@@ -147,9 +149,9 @@ prepare_data (SetupData *data, + + data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); + +- g_assert_cmpint (data->expected_size, >, 0); ++ g_assert_cmpuint (data->expected_size, >, 0); + +- data->expected_output = g_memdup (written, (guint)data->expected_size); ++ data->expected_output = g_memdup2 (written, data->expected_size); + + /* then recreate the streams and prepare them for the asynchronous close */ + destroy_streams (data); +diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c +index ef0dddeee..a3c842360 100644 +--- a/gio/tests/gdbus-export.c ++++ b/gio/tests/gdbus-export.c +@@ -23,6 +23,7 @@ + #include + + #include "gdbus-tests.h" ++#include "gstrfuncsprivate.h" + + /* all tests rely on a shared mainloop */ + static GMainLoop *loop = NULL; +@@ -652,7 +653,7 @@ subtree_introspect (GDBusConnection *connection, + g_assert_not_reached (); + } + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +@@ -708,7 +709,7 @@ dynamic_subtree_introspect (GDBusConnection *connection, + { + const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c +index d5df16d91..f424d21cc 100644 +--- a/gio/win32/gwinhttpfile.c ++++ b/gio/win32/gwinhttpfile.c +@@ -29,6 +29,7 @@ + #include "gio/gfile.h" + #include "gio/gfileattribute.h" + #include "gio/gfileinfo.h" ++#include "gstrfuncsprivate.h" + #include "gwinhttpfile.h" + #include "gwinhttpfileinputstream.h" + #include "gwinhttpfileoutputstream.h" +@@ -393,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); + child->vfs = winhttp_file->vfs; + child->url = winhttp_file->url; +- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); +- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); +- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); +- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); ++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); ++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); ++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszUrlPath = wnew_path; + child->url.dwUrlPathLength = wcslen (wnew_path); + child->url.lpszExtraInfo = NULL; +-- +2.31.1 + diff --git a/SOURCES/0002-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch b/SOURCES/0002-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch new file mode 100644 index 0000000..7991b20 --- /dev/null +++ b/SOURCES/0002-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch @@ -0,0 +1,278 @@ +From 6c10e8ce6905e8fcc3466eb8af707b5d0d3bdb85 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:36:07 +0000 +Subject: [PATCH 2/3] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION + with symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking +the destination file and re-creating it from scratch. That did +previously work, but in the process the code would call `open(O_CREAT)` +on the file. If the file was a dangling symlink, this would create the +destination file (empty). That’s not an intended side-effect, and has +security implications if the symlink is controlled by a lower-privileged +process. + +Fix that by not opening the destination file if it’s a symlink, and +adjusting the rest of the code to cope with + - the fact that `fd == -1` is not an error iff `is_symlink` is true, + - and that `original_stat` will contain the `lstat()` results for the + symlink now, rather than the `stat()` results for its target (again, + iff `is_symlink` is true). + +This means that the target of the dangling symlink is no longer created, +which was the bug. The symlink itself continues to be replaced (as +before) with the new file — this is the intended behaviour of +`g_file_replace()`. + +The behaviour for non-symlink cases, or cases where the symlink was not +dangling, should be unchanged. + +Includes a unit test. + +Signed-off-by: Philip Withnall + +Fixes: #2325 +--- + gio/glocalfileoutputstream.c | 63 ++++++++++++++------- + gio/tests/file.c | 107 ++++++++++++++++++++++++++++++++++- + 2 files changed, 149 insertions(+), 21 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 6a70b2a04..4a7766f68 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -779,16 +779,22 @@ handle_overwrite_open (const char *filename, + /* Could be a symlink, or it could be a regular ELOOP error, + * but then the next open will fail too. */ + is_symlink = TRUE; +- fd = g_open (filename, open_flags, mode); ++ if (!replace_destination_set) ++ fd = g_open (filename, open_flags, mode); + } +-#else +- fd = g_open (filename, open_flags, mode); +- errsv = errno; ++#else /* if !O_NOFOLLOW */ + /* This is racy, but we do it as soon as possible to minimize the race */ + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); ++ ++ if (!is_symlink || !replace_destination_set) ++ { ++ fd = g_open (filename, open_flags, mode); ++ errsv = errno; ++ } + #endif + +- if (fd == -1) ++ if (fd == -1 && ++ (!is_symlink || !replace_destination_set)) + { + char *display_name = g_filename_display_name (filename); + g_set_error (error, G_IO_ERROR, +@@ -800,10 +806,17 @@ handle_overwrite_open (const char *filename, + } + + #ifdef G_OS_WIN32 +- res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); +-#else +- res = fstat (fd, &original_stat); ++#error This patch has not been ported to Windows, sorry + #endif ++ ++ if (!is_symlink) ++ { ++ res = fstat (fd, &original_stat); ++ } ++ else ++ { ++ res = lstat (filename, &original_stat); ++ } + errsv = errno; + + if (res != 0) +@@ -821,16 +834,27 @@ handle_overwrite_open (const char *filename, + if (!S_ISREG (original_stat.st_mode)) + { + if (S_ISDIR (original_stat.st_mode)) +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_IS_DIRECTORY, +- _("Target file is a directory")); +- else +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_NOT_REGULAR_FILE, +- _("Target file is not a regular file")); +- goto err_out; ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_IS_DIRECTORY, ++ _("Target file is a directory")); ++ goto err_out; ++ } ++ else if (!is_symlink || ++#ifdef S_ISLNK ++ !S_ISLNK (original_stat.st_mode) ++#else ++ FALSE ++#endif ++ ) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_NOT_REGULAR_FILE, ++ _("Target file is not a regular file")); ++ goto err_out; ++ } + } + + if (etag != NULL) +@@ -911,7 +935,8 @@ handle_overwrite_open (const char *filename, + } + } + +- g_close (fd, NULL); ++ if (fd >= 0) ++ g_close (fd, NULL); + *temp_filename = tmp_filename; + return tmpfd; + } +diff --git a/gio/tests/file.c b/gio/tests/file.c +index 98eeb85d4..44db6e295 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -671,8 +671,6 @@ test_replace_cancel (void) + guint count; + GError *error = NULL; + +- g_test_bug ("629301"); +- + path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error); + g_assert_no_error (error); + tmpdir = g_file_new_for_path (path); +@@ -779,6 +777,110 @@ test_replace_cancel (void) + g_object_unref (tmpdir); + } + ++static void ++test_replace_symlink (void) ++{ ++#ifdef G_OS_UNIX ++ gchar *tmpdir_path = NULL; ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; ++ GFileOutputStream *stream = NULL; ++ const gchar *new_contents = "this is a test message which should be written to source and not target"; ++ gsize n_written; ++ GFileEnumerator *enumerator = NULL; ++ GFileInfo *info = NULL; ++ gchar *contents = NULL; ++ gsize length = 0; ++ GError *local_error = NULL; ++ ++ /* Create a fresh, empty working directory. */ ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); ++ g_assert_no_error (local_error); ++ tmpdir = g_file_new_for_path (tmpdir_path); ++ ++ g_test_message ("Using temporary directory %s", tmpdir_path); ++ g_free (tmpdir_path); ++ ++ /* Create symlink `source` which points to `target`. */ ++ source_file = g_file_get_child (tmpdir, "source"); ++ target_file = g_file_get_child (tmpdir, "target"); ++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Ensure that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Replace the `source` symlink with a regular file using ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* ++ * following the symlink */ ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), ++ &n_written, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (n_written, ==, strlen (new_contents)); ++ ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&stream); ++ ++ /* At this point, there should still only be one file: `source`. It should ++ * now be a regular file. `target` should not exist. */ ++ enumerator = g_file_enumerate_children (tmpdir, ++ G_FILE_ATTRIBUTE_STANDARD_NAME "," ++ G_FILE_ATTRIBUTE_STANDARD_TYPE, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_nonnull (info); ++ ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); ++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); ++ ++ g_clear_object (&info); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_null (info); ++ ++ g_file_enumerator_close (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_clear_object (&enumerator); ++ ++ /* Double-check that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Check the content of `source`. */ ++ g_file_load_contents (source_file, ++ NULL, ++ &contents, ++ &length, ++ NULL, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpstr (contents, ==, new_contents); ++ g_assert_cmpuint (length, ==, strlen (new_contents)); ++ g_free (contents); ++ ++ /* Tidy up. */ ++ g_file_delete (source_file, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_file_delete (tmpdir, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&target_file); ++ g_clear_object (&source_file); ++ g_clear_object (&tmpdir); ++#else /* if !G_OS_UNIX */ ++ g_test_skip ("Symlink replacement tests can only be run on Unix") ++#endif ++} ++ + static void + on_file_deleted (GObject *object, + GAsyncResult *result, +@@ -1170,6 +1272,7 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); + g_test_add_func ("/file/replace-load", test_replace_load); + g_test_add_func ("/file/replace-cancel", test_replace_cancel); ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink); + g_test_add_func ("/file/async-delete", test_async_delete); + #ifdef G_OS_UNIX + g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); +-- +2.31.1 + diff --git a/SOURCES/0003-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch b/SOURCES/0003-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch new file mode 100644 index 0000000..d2227a6 --- /dev/null +++ b/SOURCES/0003-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch @@ -0,0 +1,54 @@ +From 7f0b0d7fd744ad2f51236444005db49c80a0293d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:42:24 +0000 +Subject: [PATCH 3/3] glocalfileoutputstream: Add a missing O_CLOEXEC flag to + replace() + +Signed-off-by: Philip Withnall +--- + gio/glocalfileoutputstream.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 4a7766f68..275770fa4 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -56,6 +56,12 @@ + #define O_BINARY 0 + #endif + ++#ifndef O_CLOEXEC ++#define O_CLOEXEC 0 ++#else ++#define HAVE_O_CLOEXEC 1 ++#endif ++ + struct _GLocalFileOutputStreamPrivate { + char *tmp_filename; + char *original_filename; +@@ -1127,7 +1133,7 @@ _g_local_file_output_stream_replace (const char *filename, + sync_on_close = FALSE; + + /* If the file doesn't exist, create it */ +- open_flags = O_CREAT | O_EXCL | O_BINARY; ++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC; + if (readable) + open_flags |= O_RDWR; + else +@@ -1157,8 +1163,11 @@ _g_local_file_output_stream_replace (const char *filename, + set_error_from_open_errno (filename, error); + return NULL; + } +- +- ++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD) ++ else ++ fcntl (fd, F_SETFD, FD_CLOEXEC); ++#endif ++ + stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL); + stream->priv->fd = fd; + stream->priv->sync_on_close = sync_on_close; +-- +2.31.1 + diff --git a/SOURCES/0003-gobject-Use-g_memdup2-instead-of-g_memdup-in-obvious.patch b/SOURCES/0003-gobject-Use-g_memdup2-instead-of-g_memdup-in-obvious.patch new file mode 100644 index 0000000..dd3da75 --- /dev/null +++ b/SOURCES/0003-gobject-Use-g_memdup2-instead-of-g_memdup-in-obvious.patch @@ -0,0 +1,136 @@ +From 9d84623c724b9599071fb7f12a189746f7b0ff3f Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:39:25 +0000 +Subject: [PATCH 03/12] gobject: Use g_memdup2() instead of g_memdup() in + obvious places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()`), so that they use +`g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gobject/gsignal.c | 3 ++- + gobject/gtype.c | 9 +++++---- + gobject/gtypemodule.c | 3 ++- + gobject/tests/param.c | 4 +++- + 4 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/gobject/gsignal.c b/gobject/gsignal.c +index b22dfcca8..92555eb60 100644 +--- a/gobject/gsignal.c ++++ b/gobject/gsignal.c +@@ -28,6 +28,7 @@ + #include + + #include "gsignal.h" ++#include "gstrfuncsprivate.h" + #include "gtype-private.h" + #include "gbsearcharray.h" + #include "gvaluecollector.h" +@@ -1724,7 +1725,7 @@ g_signal_newv (const gchar *signal_name, + node->single_va_closure_is_valid = FALSE; + node->flags = signal_flags & G_SIGNAL_FLAGS_MASK; + node->n_params = n_params; +- node->param_types = g_memdup (param_types, sizeof (GType) * n_params); ++ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params); + node->return_type = return_type; + node->class_closure_bsa = NULL; + if (accumulator) +diff --git a/gobject/gtype.c b/gobject/gtype.c +index 275a8b60b..9e663ce52 100644 +--- a/gobject/gtype.c ++++ b/gobject/gtype.c +@@ -33,6 +33,7 @@ + + #include "glib-private.h" + #include "gconstructor.h" ++#include "gstrfuncsprivate.h" + + #ifdef G_OS_WIN32 + #include +@@ -1471,7 +1472,7 @@ type_add_interface_Wm (TypeNode *node, + iholder->next = iface_node_get_holders_L (iface); + iface_node_set_holders_W (iface, iholder); + iholder->instance_type = NODE_TYPE (node); +- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL; ++ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL; + iholder->plugin = plugin; + + /* create an iface entry for this type */ +@@ -1732,7 +1733,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface, + INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface)); + + check_interface_info_I (iface, instance_type, &tmp_info); +- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info)); ++ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info)); + } + + return iholder; /* we don't modify write lock upon returning NULL */ +@@ -2013,10 +2014,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface, + IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface); + + if (pentry) +- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size); + } + if (!vtable) +- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); + entry->vtable = vtable; + vtable->g_type = NODE_TYPE (iface); + vtable->g_instance_type = NODE_TYPE (node); +diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c +index c67f789b1..cf877bc0b 100644 +--- a/gobject/gtypemodule.c ++++ b/gobject/gtypemodule.c +@@ -19,6 +19,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + #include "gtypeplugin.h" + #include "gtypemodule.h" + +@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule *module, + module_type_info->loaded = TRUE; + module_type_info->info = *type_info; + if (type_info->value_table) +- module_type_info->info.value_table = g_memdup (type_info->value_table, ++ module_type_info->info.value_table = g_memdup2 (type_info->value_table, + sizeof (GTypeValueTable)); + + return module_type_info->type; +diff --git a/gobject/tests/param.c b/gobject/tests/param.c +index 758289bf8..971cff162 100644 +--- a/gobject/tests/param.c ++++ b/gobject/tests/param.c +@@ -2,6 +2,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + static void + test_param_value (void) + { +@@ -851,7 +853,7 @@ main (int argc, char *argv[]) + test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d", + data.change_this_flag, data.change_this_type, + data.use_this_flag, data.use_this_type); +- test_data = g_memdup (&data, sizeof (TestParamImplementData)); ++ test_data = g_memdup2 (&data, sizeof (TestParamImplementData)); + g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free); + g_free (test_path); + } +-- +2.31.1 + diff --git a/SOURCES/0004-glib-Use-g_memdup2-instead-of-g_memdup-in-obvious-pl.patch b/SOURCES/0004-glib-Use-g_memdup2-instead-of-g_memdup-in-obvious-pl.patch new file mode 100644 index 0000000..b8642d2 --- /dev/null +++ b/SOURCES/0004-glib-Use-g_memdup2-instead-of-g_memdup-in-obvious-pl.patch @@ -0,0 +1,284 @@ +From 3bfea0105adc5d946a82995ad439d8119b55dae2 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:41:21 +0000 +Subject: [PATCH 04/12] glib: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()` or an existing `gsize` +variable), so that they use `g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it + +In particular, this fixes an overflow within `g_bytes_new()`, identified +as GHSL-2021-045 by GHSL team member Kevin Backhouse. + +Signed-off-by: Philip Withnall +Fixes: GHSL-2021-045 +Helps: #2319 +--- + glib/gbytes.c | 6 ++++-- + glib/gdir.c | 3 ++- + glib/ghash.c | 1 + + glib/giochannel.c | 1 + + glib/gslice.c | 3 ++- + glib/gtestutils.c | 3 ++- + glib/gvariant.c | 7 ++++--- + glib/gvarianttype.c | 3 ++- + glib/tests/array-test.c | 4 +++- + glib/tests/option-context.c | 6 ++++-- + glib/tests/uri.c | 2 ++ + 11 files changed, 27 insertions(+), 12 deletions(-) + +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 3b14a51cd..5141170d7 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -33,6 +33,8 @@ + + #include + ++#include "gstrfuncsprivate.h" ++ + /** + * GBytes: + * +@@ -94,7 +96,7 @@ g_bytes_new (gconstpointer data, + { + g_return_val_if_fail (data != NULL || size == 0, NULL); + +- return g_bytes_new_take (g_memdup (data, size), size); ++ return g_bytes_new_take (g_memdup2 (data, size), size); + } + + /** +@@ -490,7 +492,7 @@ g_bytes_unref_to_data (GBytes *bytes, + * Copy: Non g_malloc (or compatible) allocator, or static memory, + * so we have to copy, and then unref. + */ +- result = g_memdup (bytes->data, bytes->size); ++ result = g_memdup2 (bytes->data, bytes->size); + *size = bytes->size; + g_bytes_unref (bytes); + } +diff --git a/glib/gdir.c b/glib/gdir.c +index cb4ad0b2f..9d955d57f 100644 +--- a/glib/gdir.c ++++ b/glib/gdir.c +@@ -37,6 +37,7 @@ + #include "gconvert.h" + #include "gfileutils.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + +@@ -113,7 +114,7 @@ g_dir_open_with_errno (const gchar *path, + return NULL; + #endif + +- return g_memdup (&dir, sizeof dir); ++ return g_memdup2 (&dir, sizeof dir); + } + + /** +diff --git a/glib/ghash.c b/glib/ghash.c +index 6bb04a50d..d475e6d64 100644 +--- a/glib/ghash.c ++++ b/glib/ghash.c +@@ -34,6 +34,7 @@ + + #include "glib-private.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gatomic.h" + #include "gtestutils.h" + #include "gslice.h" +diff --git a/glib/giochannel.c b/glib/giochannel.c +index f01817a83..ec2cada6f 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -37,6 +37,7 @@ + #include "giochannel.h" + + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + #include "gunicodeprivate.h" +diff --git a/glib/gslice.c b/glib/gslice.c +index 454c8a602..8e2359515 100644 +--- a/glib/gslice.c ++++ b/glib/gslice.c +@@ -45,6 +45,7 @@ + #include "gmain.h" + #include "gmem.h" /* gslice.h */ + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gutils.h" + #include "gtrashstack.h" + #include "gtestutils.h" +@@ -352,7 +353,7 @@ g_slice_get_config_state (GSliceConfig ckey, + array[i++] = allocator->contention_counters[address]; + array[i++] = allocator_get_magazine_threshold (allocator, address); + *n_values = i; +- return g_memdup (array, sizeof (array[0]) * *n_values); ++ return g_memdup2 (array, sizeof (array[0]) * *n_values); + default: + return NULL; + } +diff --git a/glib/gtestutils.c b/glib/gtestutils.c +index 0447dcda5..14e071fce 100644 +--- a/glib/gtestutils.c ++++ b/glib/gtestutils.c +@@ -49,6 +49,7 @@ + #include "gpattern.h" + #include "grand.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtimer.h" + #include "gslice.h" + #include "gspawn.h" +@@ -3397,7 +3398,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer) + if (p <= tbuffer->data->str + mlength) + { + g_string_erase (tbuffer->data, 0, mlength); +- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); ++ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); + return TRUE; + } + +diff --git a/glib/gvariant.c b/glib/gvariant.c +index 8be9ce798..45a1a73dc 100644 +--- a/glib/gvariant.c ++++ b/glib/gvariant.c +@@ -33,6 +33,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvariant +@@ -720,7 +721,7 @@ g_variant_new_variant (GVariant *value) + g_variant_ref_sink (value); + + return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, +- g_memdup (&value, sizeof value), ++ g_memdup2 (&value, sizeof value), + 1, g_variant_is_trusted (value)); + } + +@@ -1224,7 +1225,7 @@ g_variant_new_fixed_array (const GVariantType *element_type, + return NULL; + } + +- data = g_memdup (elements, n_elements * element_size); ++ data = g_memdup2 (elements, n_elements * element_size); + value = g_variant_new_from_data (array_type, data, + n_elements * element_size, + FALSE, g_free, data); +@@ -1901,7 +1902,7 @@ g_variant_dup_bytestring (GVariant *value, + if (length) + *length = size; + +- return g_memdup (original, size + 1); ++ return g_memdup2 (original, size + 1); + } + + /** +diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c +index c8433e65a..dbbf7d2d1 100644 +--- a/glib/gvarianttype.c ++++ b/glib/gvarianttype.c +@@ -28,6 +28,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvarianttype +@@ -1174,7 +1175,7 @@ g_variant_type_new_tuple (const GVariantType * const *items, + g_assert (offset < sizeof buffer); + buffer[offset++] = ')'; + +- return (GVariantType *) g_memdup (buffer, offset); ++ return (GVariantType *) g_memdup2 (buffer, offset); + } + + /** +diff --git a/glib/tests/array-test.c b/glib/tests/array-test.c +index 64b996fb8..f784c06f8 100644 +--- a/glib/tests/array-test.c ++++ b/glib/tests/array-test.c +@@ -30,6 +30,8 @@ + #include + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + static void + sum_up (gpointer data, + gpointer user_data) +@@ -913,7 +915,7 @@ byte_array_new_take (void) + GByteArray *gbarray; + guint8 *data; + +- data = g_memdup ("woooweeewow", 11); ++ data = g_memdup2 ("woooweeewow", 11); + gbarray = g_byte_array_new_take (data, 11); + g_assert (gbarray->data == data); + g_assert_cmpuint (gbarray->len, ==, 11); +diff --git a/glib/tests/option-context.c b/glib/tests/option-context.c +index a1e7b051c..be214b312 100644 +--- a/glib/tests/option-context.c ++++ b/glib/tests/option-context.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + static GOptionEntry main_entries[] = { + { "main-switch", 0, 0, + G_OPTION_ARG_NONE, NULL, +@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv) + static char ** + copy_stringv (char **argv, int argc) + { +- return g_memdup (argv, sizeof (char *) * (argc + 1)); ++ return g_memdup2 (argv, sizeof (char *) * (argc + 1)); + } + + static void +@@ -2275,7 +2277,7 @@ test_group_parse (void) + g_option_context_add_group (context, group); + + argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc); +- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *)); ++ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *)); + + retval = g_option_context_parse (context, &argc, &argv, &error); + +diff --git a/glib/tests/uri.c b/glib/tests/uri.c +index d292f33bf..77847ae6c 100644 +--- a/glib/tests/uri.c ++++ b/glib/tests/uri.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + typedef struct + { + char *filename; +-- +2.31.1 + diff --git a/SOURCES/0005-gwinhttpfile-Avoid-arithmetic-overflow-when-calculat.patch b/SOURCES/0005-gwinhttpfile-Avoid-arithmetic-overflow-when-calculat.patch new file mode 100644 index 0000000..215b091 --- /dev/null +++ b/SOURCES/0005-gwinhttpfile-Avoid-arithmetic-overflow-when-calculat.patch @@ -0,0 +1,47 @@ +From 14e8a9e9f26d33170ea092cd9eaf63d3d33ec6da Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 16:12:24 +0000 +Subject: [PATCH 05/12] gwinhttpfile: Avoid arithmetic overflow when + calculating a size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e. +32-bit unsigned integers. Adding to and multiplying them may cause them +to overflow the unsigned integer bounds, even if the result is passed to +`g_memdup2()` which accepts a `gsize`. + +Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the +arithmetic is done in terms of `gsize`s rather than unsigned integers. + +Spotted by Sebastian Dröge. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/win32/gwinhttpfile.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c +index f424d21cc..e98031a98 100644 +--- a/gio/win32/gwinhttpfile.c ++++ b/gio/win32/gwinhttpfile.c +@@ -394,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); + child->vfs = winhttp_file->vfs; + child->url = winhttp_file->url; +- child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); +- child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); +- child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); +- child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); ++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); ++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); ++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); + child->url.lpszUrlPath = wnew_path; + child->url.dwUrlPathLength = wcslen (wnew_path); + child->url.lpszExtraInfo = NULL; +-- +2.31.1 + diff --git a/SOURCES/0006-gdatainputstream-Handle-stop_chars_len-internally-as.patch b/SOURCES/0006-gdatainputstream-Handle-stop_chars_len-internally-as.patch new file mode 100644 index 0000000..79ef901 --- /dev/null +++ b/SOURCES/0006-gdatainputstream-Handle-stop_chars_len-internally-as.patch @@ -0,0 +1,94 @@ +From 587a525b7eb44e770857cfd4526ebb49ded4e4c8 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:49:00 +0000 +Subject: [PATCH 06/12] gdatainputstream: Handle stop_chars_len internally as + gsize + +Previously it was handled as a `gssize`, which meant that if the +`stop_chars` string was longer than `G_MAXSSIZE` there would be an +overflow. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gdatainputstream.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c +index 9f207b158..f9891bb09 100644 +--- a/gio/gdatainputstream.c ++++ b/gio/gdatainputstream.c +@@ -27,6 +27,7 @@ + #include "gioenumtypes.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + #include + +@@ -856,7 +857,7 @@ static gssize + scan_for_chars (GDataInputStream *stream, + gsize *checked_out, + const char *stop_chars, +- gssize stop_chars_len) ++ gsize stop_chars_len) + { + GBufferedInputStream *bstream; + const char *buffer; +@@ -952,7 +953,7 @@ typedef struct + gsize checked; + + gchar *stop_chars; +- gssize stop_chars_len; ++ gsize stop_chars_len; + gsize length; + } GDataInputStreamReadData; + +@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream *stream, + { + GDataInputStreamReadData *data; + GTask *task; ++ gsize stop_chars_len_unsigned; + + data = g_slice_new0 (GDataInputStreamReadData); +- if (stop_chars_len == -1) +- stop_chars_len = strlen (stop_chars); +- data->stop_chars = g_memdup (stop_chars, stop_chars_len); +- data->stop_chars_len = stop_chars_len; ++ ++ if (stop_chars_len < 0) ++ stop_chars_len_unsigned = strlen (stop_chars); ++ else ++ stop_chars_len_unsigned = (gsize) stop_chars_len; ++ ++ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned); ++ data->stop_chars_len = stop_chars_len_unsigned; + data->last_saw_cr = FALSE; + + task = g_task_new (stream, cancellable, callback, user_data); +@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream, + gssize found_pos; + gssize res; + char *data_until; ++ gsize stop_chars_len_unsigned; + + g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL); + + if (stop_chars_len < 0) +- stop_chars_len = strlen (stop_chars); ++ stop_chars_len_unsigned = strlen (stop_chars); ++ else ++ stop_chars_len_unsigned = (gsize) stop_chars_len; + + bstream = G_BUFFERED_INPUT_STREAM (stream); + + checked = 0; + +- while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1) ++ while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1) + { + if (g_buffered_input_stream_get_available (bstream) == + g_buffered_input_stream_get_buffer_size (bstream)) +-- +2.31.1 + diff --git a/SOURCES/0007-gwin32-Use-gsize-internally-in-g_wcsdup.patch b/SOURCES/0007-gwin32-Use-gsize-internally-in-g_wcsdup.patch new file mode 100644 index 0000000..ae43683 --- /dev/null +++ b/SOURCES/0007-gwin32-Use-gsize-internally-in-g_wcsdup.patch @@ -0,0 +1,69 @@ +From 9878d5eaeb18bc05131dee9a316f74e717626018 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:50:37 +0000 +Subject: [PATCH 07/12] gwin32: Use gsize internally in g_wcsdup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows it to handle strings up to length `G_MAXSIZE` — previously +it would overflow with such strings. + +Update the several copies of it identically. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gwin32registrykey.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c +index 619fd48af..fbd65311a 100644 +--- a/gio/gwin32registrykey.c ++++ b/gio/gwin32registrykey.c +@@ -127,16 +127,34 @@ typedef enum + G_WIN32_REGISTRY_UPDATED_PATH = 1, + } GWin32RegistryKeyUpdateFlag; + ++static gsize ++g_utf16_len (const gunichar2 *str) ++{ ++ gsize result; ++ ++ for (result = 0; str[0] != 0; str++, result++) ++ ; ++ ++ return result; ++} ++ + static gunichar2 * +-g_wcsdup (const gunichar2 *str, +- gssize str_size) ++g_wcsdup (const gunichar2 *str, gssize str_len) + { +- if (str_size == -1) +- { +- str_size = wcslen (str) + 1; +- str_size *= sizeof (gunichar2); +- } +- return g_memdup (str, str_size); ++ gsize str_len_unsigned; ++ gsize str_size; ++ ++ g_return_val_if_fail (str != NULL, NULL); ++ ++ if (str_len < 0) ++ str_len_unsigned = g_utf16_len (str); ++ else ++ str_len_unsigned = (gsize) str_len; ++ ++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); ++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2); ++ ++ return g_memdup2 (str, str_size); + } + + /** +-- +2.31.1 + diff --git a/SOURCES/0008-gkeyfilesettingsbackend-Handle-long-keys-when-conver.patch b/SOURCES/0008-gkeyfilesettingsbackend-Handle-long-keys-when-conver.patch new file mode 100644 index 0000000..b133f2f --- /dev/null +++ b/SOURCES/0008-gkeyfilesettingsbackend-Handle-long-keys-when-conver.patch @@ -0,0 +1,94 @@ +From 34f26a016a55a742615538dfe5392e53b61fc46d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:58:32 +0000 +Subject: [PATCH 08/12] gkeyfilesettingsbackend: Handle long keys when + converting paths + +Previously, the code in `convert_path()` could not handle keys longer +than `G_MAXINT`, and would overflow if that was exceeded. + +Convert the code to use `gsize` and `g_memdup2()` throughout, and +change from identifying the position of the final slash in the string +using a signed offset `i`, to using a pointer to the character (and +`strrchr()`). This allows the slash to be at any position in a +`G_MAXSIZE`-long string, without sacrificing a bit of the offset for +indicating whether a slash was found. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gkeyfilesettingsbackend.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c +index f74e3682c..063df1ee7 100644 +--- a/gio/gkeyfilesettingsbackend.c ++++ b/gio/gkeyfilesettingsbackend.c +@@ -33,6 +33,7 @@ + #include "gfilemonitor.h" + #include "gsimplepermission.h" + #include "gsettingsbackendinternal.h" ++#include "gstrfuncsprivate.h" + #include "giomodule-priv.h" + #include "gportalsupport.h" + +@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb, + gchar **group, + gchar **basename) + { +- gint key_len = strlen (key); +- gint i; ++ gsize key_len = strlen (key); ++ const gchar *last_slash; + + if (key_len < kfsb->prefix_len || + memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0) +@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend *kfsb, + key_len -= kfsb->prefix_len; + key += kfsb->prefix_len; + +- for (i = key_len; i >= 0; i--) +- if (key[i] == '/') +- break; ++ last_slash = strrchr (key, '/'); + + if (kfsb->root_group) + { + /* if a root_group was specified, make sure the user hasn't given + * a path that ghosts that group name + */ +- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0) ++ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0) + return FALSE; + } + else + { + /* if no root_group was given, ensure that the user gave a path */ +- if (i == -1) ++ if (last_slash == NULL) + return FALSE; + } + + if (group) + { +- if (i >= 0) ++ if (last_slash != NULL) + { +- *group = g_memdup (key, i + 1); +- (*group)[i] = '\0'; ++ *group = g_memdup2 (key, (last_slash - key) + 1); ++ (*group)[(last_slash - key)] = '\0'; + } + else + *group = g_strdup (kfsb->root_group); + } + + if (basename) +- *basename = g_memdup (key + i + 1, key_len - i); ++ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); + + return TRUE; + } +-- +2.31.1 + diff --git a/SOURCES/0009-gsocket-Use-gsize-to-track-native-sockaddr-s-size.patch b/SOURCES/0009-gsocket-Use-gsize-to-track-native-sockaddr-s-size.patch new file mode 100644 index 0000000..382556a --- /dev/null +++ b/SOURCES/0009-gsocket-Use-gsize-to-track-native-sockaddr-s-size.patch @@ -0,0 +1,100 @@ +From 4d5c5d6af772f5fe6121eec403305a1b4340327d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 14:00:53 +0000 +Subject: [PATCH 09/12] =?UTF-8?q?gsocket:=20Use=20gsize=20to=20track=20nat?= + =?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don’t use an `int`, that’s potentially too small. In practical terms, +this is not a problem, since no socket address is going to be that big. + +By making these changes we can use `g_memdup2()` without warnings, +though. Fewer warnings is good. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gsocket.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/gio/gsocket.c b/gio/gsocket.c +index b4a941eb1..7f41ffd3c 100644 +--- a/gio/gsocket.c ++++ b/gio/gsocket.c +@@ -80,6 +80,8 @@ + #include "gwin32networking.h" + #endif + ++#include "gstrfuncsprivate.h" ++ + /** + * SECTION:gsocket + * @short_description: Low-level socket object +@@ -173,7 +175,7 @@ static gboolean g_socket_datagram_based_condition_wait (GDatagramBased + GError **error); + + static GSocketAddress * +-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len); ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len); + + static gssize + g_socket_receive_message_with_timeout (GSocket *socket, +@@ -270,7 +272,7 @@ struct _GSocketPrivate + struct { + GSocketAddress *addr; + struct sockaddr *native; +- gint native_len; ++ gsize native_len; + guint64 last_used; + } recv_addr_cache[RECV_ADDR_CACHE_SIZE]; + }; +@@ -5018,14 +5020,14 @@ g_socket_send_messages_with_timeout (GSocket *socket, + } + + static GSocketAddress * +-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len) + { + GSocketAddress *saddr; + gint i; + guint64 oldest_time = G_MAXUINT64; + gint oldest_index = 0; + +- if (native_len <= 0) ++ if (native_len == 0) + return NULL; + + saddr = NULL; +@@ -5033,7 +5035,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) + { + GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr; + gpointer tmp_native = socket->priv->recv_addr_cache[i].native; +- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len; ++ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len; + + if (!tmp) + continue; +@@ -5063,7 +5065,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) + g_free (socket->priv->recv_addr_cache[oldest_index].native); + } + +- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len); ++ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len); + socket->priv->recv_addr_cache[oldest_index].native_len = native_len; + socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr); + socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time (); +@@ -5213,6 +5215,9 @@ g_socket_receive_message_with_timeout (GSocket *socket, + { + win32_unset_event_mask (socket, FD_READ); + ++ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */ ++ G_STATIC_ASSERT (sizeof addr <= G_MAXINT); ++ + addrlen = sizeof addr; + if (address) + result = WSARecvFrom (socket->priv->fd, +-- +2.31.1 + diff --git a/SOURCES/0010-gtlspassword-Forbid-very-long-TLS-passwords.patch b/SOURCES/0010-gtlspassword-Forbid-very-long-TLS-passwords.patch new file mode 100644 index 0000000..4a68e7c --- /dev/null +++ b/SOURCES/0010-gtlspassword-Forbid-very-long-TLS-passwords.patch @@ -0,0 +1,52 @@ +From 4fd0162b758d97855beed09d81c77cb1a1626bd8 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 14:07:39 +0000 +Subject: [PATCH 10/12] gtlspassword: Forbid very long TLS passwords +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The public API `g_tls_password_set_value_full()` (and the vfunc it +invokes) can only accept a `gssize` length. Ensure that nul-terminated +strings passed to `g_tls_password_set_value()` can’t exceed that length. +Use `g_memdup2()` to avoid an overflow if they’re longer than +`G_MAXUINT` similarly. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gtlspassword.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c +index 1e437a7b6..dbcec41a8 100644 +--- a/gio/gtlspassword.c ++++ b/gio/gtlspassword.c +@@ -23,6 +23,7 @@ + #include "glibintl.h" + + #include "gioenumtypes.h" ++#include "gstrfuncsprivate.h" + #include "gtlspassword.h" + + #include +@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password, + g_return_if_fail (G_IS_TLS_PASSWORD (password)); + + if (length < 0) +- length = strlen ((gchar *)value); ++ { ++ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ ++ gsize length_unsigned = strlen ((gchar *) value); ++ g_return_if_fail (length_unsigned > G_MAXSSIZE); ++ length = (gssize) length_unsigned; ++ } + +- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free); ++ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free); + } + + /** +-- +2.31.1 + diff --git a/SOURCES/0011-giochannel-Forbid-very-long-line-terminator-strings.patch b/SOURCES/0011-giochannel-Forbid-very-long-line-terminator-strings.patch new file mode 100644 index 0000000..1191991 --- /dev/null +++ b/SOURCES/0011-giochannel-Forbid-very-long-line-terminator-strings.patch @@ -0,0 +1,57 @@ +From 0ae8a90a40335257b4f7e1f44498a8b5d4f48aab Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 14:09:40 +0000 +Subject: [PATCH 11/12] giochannel: Forbid very long line terminator strings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that +nul-terminated strings passed to `g_io_channel_set_line_term()` can’t +exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()` +is due to be deprecated), but not to avoid a bug, since it’s also +limited to `G_MAXUINT`. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + glib/giochannel.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index ec2cada6f..908730fab 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -885,16 +885,25 @@ g_io_channel_set_line_term (GIOChannel *channel, + const gchar *line_term, + gint length) + { ++ guint length_unsigned; ++ + g_return_if_fail (channel != NULL); + g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */ + + if (line_term == NULL) +- length = 0; +- else if (length < 0) +- length = strlen (line_term); ++ length_unsigned = 0; ++ else if (length >= 0) ++ length_unsigned = (guint) length; ++ else ++ { ++ /* FIXME: We’re constrained by line_term_len being a guint here */ ++ gsize length_size = strlen (line_term); ++ g_return_if_fail (length_size > G_MAXUINT); ++ length_unsigned = (guint) length_size; ++ } + + g_free (channel->line_term); +- channel->line_term = line_term ? g_memdup (line_term, length) : NULL; ++ channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; + channel->line_term_len = length; + } + +-- +2.31.1 + diff --git a/SOURCES/0012-Use-more-g_memdup2.patch b/SOURCES/0012-Use-more-g_memdup2.patch new file mode 100644 index 0000000..1d7de72 --- /dev/null +++ b/SOURCES/0012-Use-more-g_memdup2.patch @@ -0,0 +1,97 @@ +From 672c3963974bef02740dc3d4ac657876583b170d Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 31 Mar 2021 10:00:46 -0500 +Subject: [PATCH 12/12] Use more g_memdup2 + +This completes the removal of g_memdup() usage for GLib 2.56. +--- + gio/gwin32appinfo.c | 3 ++- + glib/ghash.c | 2 +- + glib/tests/gvariant.c | 9 +++++---- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/gio/gwin32appinfo.c b/gio/gwin32appinfo.c +index 499bbb351..749b282dc 100644 +--- a/gio/gwin32appinfo.c ++++ b/gio/gwin32appinfo.c +@@ -32,6 +32,7 @@ + #include + #include "glibintl.h" + #include ++#include "gstrfuncsprivate.h" + + #include + +@@ -472,7 +473,7 @@ g_wcsdup (const gunichar2 *str, gssize str_size) + str_size = wcslen (str) + 1; + str_size *= sizeof (gunichar2); + } +- return g_memdup (str, str_size); ++ return g_memdup2 (str, str_size); + } + + #define URL_ASSOCIATIONS L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\" +diff --git a/glib/ghash.c b/glib/ghash.c +index d475e6d64..608d136f4 100644 +--- a/glib/ghash.c ++++ b/glib/ghash.c +@@ -968,7 +968,7 @@ g_hash_table_insert_node (GHashTable *hash_table, + * split the table. + */ + if (G_UNLIKELY (hash_table->keys == hash_table->values && hash_table->keys[node_index] != new_value)) +- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); + + /* Step 3: Actually do the write */ + hash_table->values[node_index] = new_value; +diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c +index c4a996c1f..5903b69bc 100644 +--- a/glib/tests/gvariant.c ++++ b/glib/tests/gvariant.c +@@ -14,6 +14,7 @@ + #include "config.h" + + #include ++#include + #include + #include + #include +@@ -4673,7 +4674,7 @@ test_normal_checking_tuples (void) + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + +- aligned_data = g_memdup (data, size); /* guarantee alignment */ ++ aligned_data = g_memdup2 (data, size); /* guarantee alignment */ + variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, size, + FALSE, NULL, NULL); + g_assert_nonnull (variant); +@@ -4802,7 +4803,7 @@ test_normal_checking_array_offsets (void) + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + +- aligned_data = g_memdup (data, size); /* guarantee alignment */ ++ aligned_data = g_memdup2 (data, size); /* guarantee alignment */ + variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, size, + FALSE, NULL, NULL); + g_assert_nonnull (variant); +@@ -4829,7 +4830,7 @@ test_normal_checking_tuple_offsets (void) + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + +- aligned_data = g_memdup (data, size); /* guarantee alignment */ ++ aligned_data = g_memdup2 (data, size); /* guarantee alignment */ + variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, + size, FALSE, NULL, NULL); + g_assert_nonnull (variant); +@@ -4856,7 +4857,7 @@ test_normal_checking_empty_object_path (void) + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + +- aligned_data = g_memdup (data, size); /* guarantee alignment */ ++ aligned_data = g_memdup2 (data, size); /* guarantee alignment */ + variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, size, + FALSE, NULL, NULL); + g_assert_nonnull (variant); +-- +2.31.1 + diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index 5e22638..89a23c8 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -5,7 +5,7 @@ Name: glib2 Version: 2.56.4 -Release: 9%{?dist} +Release: 10%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -70,6 +70,28 @@ Patch60: keyfile-backend.patch # https://gitlab.gnome.org/GNOME/glib/-/issues/1658 Patch61: CVE-2019-13012.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1927 +Patch70: 0001-gstrfuncs-Add-internal-g_memdup2-function.patch +Patch71: 0002-gio-Use-g_memdup2-instead-of-g_memdup-in-obvious-pla.patch +Patch72: 0003-gobject-Use-g_memdup2-instead-of-g_memdup-in-obvious.patch +Patch73: 0004-glib-Use-g_memdup2-instead-of-g_memdup-in-obvious-pl.patch +Patch74: 0005-gwinhttpfile-Avoid-arithmetic-overflow-when-calculat.patch +Patch75: 0006-gdatainputstream-Handle-stop_chars_len-internally-as.patch +Patch76: 0007-gwin32-Use-gsize-internally-in-g_wcsdup.patch +Patch77: 0008-gkeyfilesettingsbackend-Handle-long-keys-when-conver.patch +Patch78: 0009-gsocket-Use-gsize-to-track-native-sockaddr-s-size.patch +Patch79: 0010-gtlspassword-Forbid-very-long-TLS-passwords.patch +Patch80: 0011-giochannel-Forbid-very-long-line-terminator-strings.patch +Patch81: 0012-Use-more-g_memdup2.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942 +Patch90: 0001-gbytearray-Do-not-accept-too-large-byte-arrays.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1981 +Patch100: 0001-glocalfileoutputstream-Factor-out-a-flag-check.patch +Patch101: 0002-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch +Patch102: 0003-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch + %description GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, @@ -267,6 +289,14 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Wed Mar 31 2021 Michael Catanzaro - 2.56.4-10 +- Fix CVE-2021-27218 + Resolves: #1939072 +- Fix CVE-2021-27219 + Resolves: #1939108 +- Fix CVE-2021-28153 + Resolves: #1939118 + * Tue Nov 10 2020 Michael Catanzaro - 2.56.4-9 - Update GHmac patch to implement g_hmac_copy() Resolves: #1786538