Patch glib-networking for CVE-2025-60019

Author: azurelinux-security

SPECS/glib-networking/CVE-2025-60019.patch

@@ -0,0 +1,172 @@
+From 3ff00f7ad90b9cd88de10492d04f102ae02f3519 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Mon, 29 Sep 2025 19:19:55 +0000
+Subject: [PATCH] openssl: check return value of g_tls_bio_alloc() and
+ BIO_new(), guard BIO_free_all, and check BIO_new_mem_buf returns as per
+ upstream patches
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/263.patch
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://raw.githubusercontent.com/microsoft/azurelinux/285dc2d37625e2b33314153f6b16848fde3ff8f1/SPECS/glib-networking/CVE-2025-60019.patch
+---
+ tls/openssl/gtlsbio.c                 |  6 ++--
+ tls/openssl/gtlscertificate-openssl.c | 44 +++++++++++++++++++--------
+ 2 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/tls/openssl/gtlsbio.c b/tls/openssl/gtlsbio.c
+index 4e138e7..93f930a 100644
+--- a/tls/openssl/gtlsbio.c
++++ b/tls/openssl/gtlsbio.c
+@@ -355,7 +355,8 @@ g_tls_bio_new_from_iostream (GIOStream *io_stream)
+   GTlsBio *gbio;
+ 
+   ret = g_tls_bio_alloc (&gbio);
+-  gbio->io_stream = g_object_ref (io_stream);
++  if (ret)
++    gbio->io_stream = g_object_ref (io_stream);
+ 
+   return ret;
+ }
+@@ -367,7 +368,8 @@ g_tls_bio_new_from_datagram_based (GDatagramBased *socket)
+   GTlsBio *gbio;
+ 
+   ret = g_tls_bio_alloc (&gbio);
+-  gbio->socket = g_object_ref (socket);
++  if (ret)
++    gbio->socket = g_object_ref (socket);
+ 
+   return ret;
+ }
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index 648f3e8..a8f146b 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
++++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -166,6 +166,8 @@ export_privkey_to_der (GTlsCertificateOpenssl  *openssl,
+     goto err;
+ 
+   bio = BIO_new (BIO_s_mem ());
++  if (!bio)
++    goto err;
+   if (i2d_PKCS8_PRIV_KEY_INFO_bio (bio, pkcs8) == 0)
+     goto err;
+ 
+@@ -199,6 +201,9 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+     return NULL;
+ 
+   bio = BIO_new (BIO_s_mem ());
++  if (!bio)
++    goto out;
++
+   ret = PEM_write_bio_PKCS8PrivateKey (bio, openssl->key, NULL, NULL, 0, NULL, NULL);
+   if (ret == 0)
+     goto out;
+@@ -211,7 +216,7 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+   result = g_strdup (data);
+ 
+ out:
+-  BIO_free_all (bio);
++  g_clear_pointer (&bio, BIO_free_all);
+   return result;
+ }
+ 
+@@ -232,6 +237,9 @@ maybe_import_pkcs12 (GTlsCertificateOpenssl *openssl)
+     return;
+ 
+   bio = BIO_new (BIO_s_mem ());
++  if (!bio)
++    goto import_failed;
++
+   status = BIO_write (bio, openssl->pkcs12_data->data, openssl->pkcs12_data->len);
+   if (status <= 0)
+     goto import_failed;
+@@ -323,7 +331,7 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+   guint8 *data;
+   BIO *bio;
+   GByteArray *byte_array;
+-  char *certificate_pem;
++  const char *certificate_pem;
+   long size;
+ 
+   const ASN1_TIME *time_asn1;
+@@ -362,15 +370,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_CERTIFICATE_PEM:
+       bio = BIO_new (BIO_s_mem ());
+ 
+-      if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1))
+-        certificate_pem = NULL;
+-      else
++      if (bio && PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+         {
+           BIO_get_mem_data (bio, &certificate_pem);
+           g_value_set_string (value, certificate_pem);
+-
+-          BIO_free_all (bio);
+         }
++      g_clear_pointer (&bio, BIO_free_all);
+       break;
+ 
+     case PROP_PRIVATE_KEY:
+@@ -410,6 +415,8 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+ 
+     case PROP_SUBJECT_NAME:
+       bio = BIO_new (BIO_s_mem ());
++      if (!bio)
++        break;
+       name = X509_get_subject_name (openssl->cert);
+       X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+       BIO_write (bio, "\0", 1);
+@@ -420,6 +427,8 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+ 
+     case PROP_ISSUER_NAME:
+       bio = BIO_new (BIO_s_mem ());
++      if (!bio)
++        break;
+       name = X509_get_issuer_name (openssl->cert);
+       X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+       BIO_write (bio, "\0", 1);
+@@ -528,8 +537,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+         break;
+       CRITICAL_IF_CERTIFICATE_INITIALIZED ("certificate-pem");
+       bio = BIO_new_mem_buf ((gpointer)string, -1);
+-      openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
+-      BIO_free (bio);
++      if (bio)
++        {
++          openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
++          BIO_free (bio);
++        }
+       if (openssl->cert)
+         openssl->have_cert = TRUE;
+       else if (!openssl->construct_error)
+@@ -549,8 +561,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+       CRITICAL_IF_KEY_INITIALIZED ("private-key");
+ 
+       bio = BIO_new_mem_buf (bytes->data, bytes->len);
+-      openssl->key = d2i_PrivateKey_bio (bio, NULL);
+-      BIO_free (bio);
++      if (bio)
++        {
++          openssl->key = d2i_PrivateKey_bio (bio, NULL);
++          BIO_free (bio);
++        }
+       if (openssl->key)
+         openssl->have_key = TRUE;
+       else if (!openssl->construct_error)
+@@ -570,8 +585,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+       CRITICAL_IF_KEY_INITIALIZED ("private-key-pem");
+ 
+       bio = BIO_new_mem_buf ((gpointer)string, -1);
+-      openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
+-      BIO_free (bio);
++      if (bio)
++        {
++          openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
++          BIO_free (bio);
++        }
+       if (openssl->key)
+         openssl->have_key = TRUE;
+       else if (!openssl->construct_error)
+-- 
+2.45.4
+

SPECS/glib-networking/glib-networking.spec

@@ -1,13 +1,14 @@
 Summary:        Glib networking modules
 Name:           glib-networking
 Version:        2.78.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2+ WITH exceptions
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Development
 URL:            https://gitlab.gnome.org/GNOME/glib-networking/
 Source0:        https://download.gnome.org/sources/%{name}/2.78/%{name}-%{version}.tar.xz
+Patch0:         CVE-2025-60019.patch
 BuildRequires:  gcc
 BuildRequires:  gettext
 BuildRequires:  meson
@@ -28,6 +29,7 @@ implementation.
 
 %prep
 %setup -q
+%patch 0 -p1
 
 %build
 %meson -Dlibproxy=disabled
@@ -47,6 +49,9 @@ implementation.
 %{_libdir}/gio/modules/libgiognutls.so
 
 %changelog
+* Tue Sep 30 2025 Azure Linux Security Servicing Account <[email protected]> - 2.78.0-2
+- Patch for CVE-2025-60019
+
 * Tue Feb 13 2024 Vince Perri <[email protected]> - 2.78.0-1
 - Upgrade to 2.78.0