Patch glib for CVE-2025-13601

Author: azurelinux-security

SPECS/glib/CVE-2025-13601.patch

@@ -0,0 +1,135 @@
+From 65ebc5f7d91a98b96bb7730433722b4b235cc74b Mon Sep 17 00:00:00 2001
+From: Philip Withnall <[email protected]>
+Date: Thu, 13 Nov 2025 18:27:22 +0000
+Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the string to escape contains a very large number of unacceptable
+characters (which would need escaping), the calculation of the length of
+the escaped string could overflow, leading to a potential write off the
+end of the newly allocated string.
+
+In addition to that, the number of unacceptable characters was counted
+in a signed integer, which would overflow to become negative, making it
+easier for an attacker to craft an input string which would cause an
+out-of-bounds write.
+
+Fix that by validating the allocation length, and using an unsigned
+integer to count the number of unacceptable characters.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
+
+Signed-off-by: Philip Withnall <[email protected]>
+
+Fixes: #3827
+
+Backport 2.86: Changed the translatable error message to re-use an
+existing translatable string, to avoid adding new translatable strings
+to a stable branch. The re-used string doesn’t perfectly match the
+error, but it’s good enough given that no users will ever see it.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://gitlab.gnome.org/GNOME/glib/-/commit/9bcd65ba5fa1b92ff0fb8380faea335ccef56253.patch
+---
+ glib/gconvert.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+diff --git a/glib/gconvert.c b/glib/gconvert.c
+index 69bcc2f..d43631c 100644
+--- a/glib/gconvert.c
++++ b/glib/gconvert.c
+@@ -1428,8 +1428,9 @@ static const gchar hex[] = "0123456789ABCDEF";
+ /* Note: This escape function works on file: URIs, but if you want to
+  * escape something else, please read RFC-2396 */
+ static gchar *
+-g_escape_uri_string (const gchar *string, 
+-		     UnsafeCharacterSet mask)
++g_escape_uri_string (const gchar         *string,
++                     UnsafeCharacterSet   mask,
++                     GError             **error)
+ {
+ #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
+ 
+@@ -1437,7 +1438,7 @@ g_escape_uri_string (const gchar *string,
+   gchar *q;
+   gchar *result;
+   int c;
+-  gint unacceptable;
++  size_t unacceptable;
+   UnsafeCharacterSet use_mask;
+   
+   g_return_val_if_fail (mask == UNSAFE_ALL
+@@ -1454,7 +1455,14 @@ g_escape_uri_string (const gchar *string,
+       if (!ACCEPTABLE (c)) 
+ 	unacceptable++;
+     }
+-  
++
++  if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
++    {
++      g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
++                           _("Invalid hostname"));
++      return NULL;
++    }
++
+   result = g_malloc (p - string + unacceptable * 2 + 1);
+   
+   use_mask = mask;
+@@ -1479,12 +1487,13 @@ g_escape_uri_string (const gchar *string,
+ 
+ 
+ static gchar *
+-g_escape_file_uri (const gchar *hostname,
+-		   const gchar *pathname)
++g_escape_file_uri (const gchar  *hostname,
++                   const gchar  *pathname,
++                   GError      **error)
+ {
+   char *escaped_hostname = NULL;
+-  char *escaped_path;
+-  char *res;
++  char *escaped_path = NULL;
++  char *res = NULL;
+ 
+ #ifdef G_OS_WIN32
+   char *p, *backslash;
+@@ -1505,10 +1514,14 @@ g_escape_file_uri (const gchar *hostname,
+ 
+   if (hostname && *hostname != '\0')
+     {
+-      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
++      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
++      if (escaped_hostname == NULL)
++        goto out;
+     }
+ 
+-  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
++  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
++  if (escaped_path == NULL)
++    goto out;
+ 
+   res = g_strconcat ("file://",
+ 		     (escaped_hostname) ? escaped_hostname : "",
+@@ -1516,6 +1529,7 @@ g_escape_file_uri (const gchar *hostname,
+ 		     escaped_path,
+ 		     NULL);
+ 
++out:
+ #ifdef G_OS_WIN32
+   g_free ((char *) pathname);
+ #endif
+@@ -1849,7 +1863,7 @@ g_filename_to_uri (const gchar *filename,
+     hostname = NULL;
+ #endif
+ 
+-  escaped_uri = g_escape_file_uri (hostname, filename);
++  escaped_uri = g_escape_file_uri (hostname, filename, error);
+ 
+   return escaped_uri;
+ }
+-- 
+2.45.4
+

SPECS/glib/glib.spec

@@ -2,7 +2,7 @@
 Summary:        Low-level libraries useful for providing data structure handling for C.
 Name:           glib
 Version:        2.78.6
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,6 +14,7 @@ Patch1:         CVE-2025-3360.patch
 Patch2:         CVE-2025-4373.patch
 Patch3:         CVE-2025-6052.patch
 Patch4:         CVE-2025-7039.patch
+Patch5:         CVE-2025-13601.patch
 BuildRequires:  cmake
 BuildRequires:  gtk-doc
 BuildRequires:  libffi-devel
@@ -126,6 +127,9 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
+* Sat Nov 29 2025 Azure Linux Security Servicing Account <[email protected]> - 2.78.6-5
+- Patch for CVE-2025-13601
+
 * Mon Sep 08 2025 Azure Linux Security Servicing Account <[email protected]> - 2.78.6-4
 - Patch for CVE-2025-7039
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -208,7 +208,7 @@ libxml2-devel-2.11.5-7.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-2.azl3.aarch64.rpm
-glib-2.78.6-4.azl3.aarch64.rpm
+glib-2.78.6-5.azl3.aarch64.rpm
 libltdl-2.4.7-1.azl3.aarch64.rpm
 libltdl-devel-2.4.7-1.azl3.aarch64.rpm
 lua-5.4.6-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -208,7 +208,7 @@ libxml2-devel-2.11.5-7.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-2.azl3.x86_64.rpm
-glib-2.78.6-4.azl3.x86_64.rpm
+glib-2.78.6-5.azl3.x86_64.rpm
 libltdl-2.4.7-1.azl3.x86_64.rpm
 libltdl-devel-2.4.7-1.azl3.x86_64.rpm
 lua-5.4.6-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -122,11 +122,11 @@ gdbm-lang-1.23-1.azl3.aarch64.rpm
 gettext-0.22-1.azl3.aarch64.rpm
 gettext-debuginfo-0.22-1.azl3.aarch64.rpm
 gfortran-13.2.0-7.azl3.aarch64.rpm
-glib-2.78.6-4.azl3.aarch64.rpm
-glib-debuginfo-2.78.6-4.azl3.aarch64.rpm
-glib-devel-2.78.6-4.azl3.aarch64.rpm
-glib-doc-2.78.6-4.azl3.noarch.rpm
-glib-schemas-2.78.6-4.azl3.aarch64.rpm
+glib-2.78.6-5.azl3.aarch64.rpm
+glib-debuginfo-2.78.6-5.azl3.aarch64.rpm
+glib-devel-2.78.6-5.azl3.aarch64.rpm
+glib-doc-2.78.6-5.azl3.noarch.rpm
+glib-schemas-2.78.6-5.azl3.aarch64.rpm
 glibc-2.38-15.azl3.aarch64.rpm
 glibc-debuginfo-2.38-15.azl3.aarch64.rpm
 glibc-devel-2.38-15.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -129,11 +129,11 @@ gdbm-lang-1.23-1.azl3.x86_64.rpm
 gettext-0.22-1.azl3.x86_64.rpm
 gettext-debuginfo-0.22-1.azl3.x86_64.rpm
 gfortran-13.2.0-7.azl3.x86_64.rpm
-glib-2.78.6-4.azl3.x86_64.rpm
-glib-debuginfo-2.78.6-4.azl3.x86_64.rpm
-glib-devel-2.78.6-4.azl3.x86_64.rpm
-glib-doc-2.78.6-4.azl3.noarch.rpm
-glib-schemas-2.78.6-4.azl3.x86_64.rpm
+glib-2.78.6-5.azl3.x86_64.rpm
+glib-debuginfo-2.78.6-5.azl3.x86_64.rpm
+glib-devel-2.78.6-5.azl3.x86_64.rpm
+glib-doc-2.78.6-5.azl3.noarch.rpm
+glib-schemas-2.78.6-5.azl3.x86_64.rpm
 glibc-2.38-15.azl3.x86_64.rpm
 glibc-debuginfo-2.38-15.azl3.x86_64.rpm
 glibc-devel-2.38-15.azl3.x86_64.rpm