[LOW] Patch glib for CVE-2025-3360 (#13428)

Author: archana25-ms

SPECS/glib/CVE-2025-3360.patch

@@ -0,0 +1,138 @@
+From 407e37b2f0464eee439866e9c15d626cfb06a072 Mon Sep 17 00:00:00 2001
+From: archana25-ms <[email protected]>
+Date: Wed, 16 Apr 2025 05:26:51 +0000
+Subject: [PATCH] Address CVE-2025-3360
+Upstream Patch Reference : 
+1. https://gitlab.gnome.org/GNOME/glib/-/commit/8d60d7dc168aee73a15eb5edeb2deaf196d96114
+2. https://gitlab.gnome.org/GNOME/glib/-/commit/2fa1e183613bf58d31151ecaceab91607ccc0c6d
+3. https://gitlab.gnome.org/GNOME/glib/-/commit/0b225e7cd80801aca6e627696064d1698aaa85e7
+4. https://gitlab.gnome.org/GNOME/glib/-/commit/3672764a17c26341ab8224dcaddf3e7cad699443
+5. https://gitlab.gnome.org/GNOME/glib/-/commit/0ffdbebd9ab3246958e14ab33bd0c65b6f05fd13
+
+---
+ glib/gdatetime.c | 48 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 2640e3b..a28e55d 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1346,12 +1346,16 @@ parse_iso8601_date (const gchar *text, gsize length,
+     return FALSE;
+ }
+ 
++/* Value returned in tz_offset is valid if and only if the function return value
++ * is non-NULL. */
+ static GTimeZone *
+-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
++parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+-  gint i, tz_length, offset_hours, offset_minutes;
++  size_t tz_length;
++  gint offset_hours, offset_minutes;
+   gint offset_sign = 1;
+   GTimeZone *tz;
++  const char *tz_start;
+ 
+   /* UTC uses Z suffix  */
+   if (length > 0 && text[length - 1] == 'Z')
+@@ -1361,42 +1365,42 @@ parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
+     }
+ 
+   /* Look for '+' or '-' of offset */
+-  for (i = length - 1; i >= 0; i--)
+-    if (text[i] == '+' || text[i] == '-')
++  for (tz_length = 1; tz_length <= length; tz_length++)
++    if (text[length - tz_length] == '+' || text[length - tz_length] == '-')
+       {
+-        offset_sign = text[i] == '-' ? -1 : 1;
++        offset_sign = text[length - tz_length] == '-' ? -1 : 1;
+         break;
+       }
+-  if (i < 0)
++  if (tz_length > length)
+     return NULL;
+-  tz_length = length - i;
++  tz_start = text + length - tz_length;
+ 
+   /* +hh:mm or -hh:mm */
+-  if (tz_length == 6 && text[i+3] == ':')
++  if (tz_length == 6 && tz_start[3] == ':')
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+-          !get_iso8601_int (text + i + 4, 2, &offset_minutes))
++      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++          !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
+         return NULL;
+     }
+   /* +hhmm or -hhmm */
+   else if (tz_length == 5)
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+-          !get_iso8601_int (text + i + 3, 2, &offset_minutes))
++      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++          !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
+         return NULL;
+     }
+   /* +hh or -hh */
+   else if (tz_length == 3)
+     {
+-      if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
++      if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
+         return NULL;
+       offset_minutes = 0;
+     }
+   else
+     return NULL;
+ 
+-  *tz_offset = i;
+-  tz = g_time_zone_new_identifier (text + i);
++  *tz_offset = tz_start - text;
++  tz = g_time_zone_new_identifier (tz_start);
+ 
+   /* Double-check that the GTimeZone matches our interpretation of the timezone.
+    * This can fail because our interpretation is less strict than (for example)
+@@ -1415,11 +1419,11 @@ static gboolean
+ parse_iso8601_time (const gchar *text, gsize length,
+                     gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz)
+ {
+-  gssize tz_offset = -1;
++  size_t tz_offset = 0;
+ 
+   /* Check for timezone suffix */
+   *tz = parse_iso8601_timezone (text, length, &tz_offset);
+-  if (tz_offset >= 0)
++  if (*tz != NULL)
+     length = tz_offset;
+ 
+   /* hh:mm:ss(.sss) */
+@@ -1497,7 +1501,8 @@ parse_iso8601_time (const gchar *text, gsize length,
+ GDateTime *
+ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ {
+-  gint length, date_length = -1;
++  size_t length, date_length = 0;
++  gboolean date_length_set = FALSE;
+   gint hour = 0, minute = 0;
+   gdouble seconds = 0.0;
+   GTimeZone *tz = NULL;
+@@ -1508,11 +1513,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+   /* Count length of string and find date / time separator ('T', 't', or ' ') */
+   for (length = 0; text[length] != '\0'; length++)
+     {
+-      if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
++      if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
++      {
+         date_length = length;
++        date_length_set = TRUE;
++      }
+     }
+ 
+-  if (date_length < 0)
++  if (!date_length_set)
+     return NULL;
+ 
+   if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),
+-- 
+2.45.3
+

SPECS/glib/glib.spec

@@ -2,7 +2,7 @@
 Summary:        Low-level libraries useful for providing data structure handling for C.
 Name:           glib
 Version:        2.71.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ Patch0:         CVE-2024-52533.patch
 Patch1:         CVE-2023-29499.patch
 # This patch fixes 2 CVEs - CVE-2023-32643 and CVE-2023-32636 
 Patch2:         CVE-2023-32643-CVE-2023-32636.patch
+Patch3:         CVE-2025-3360.patch
 BuildRequires:  cmake
 BuildRequires:  gtk-doc
 BuildRequires:  libffi-devel
@@ -126,6 +127,9 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
+* Wed Apr 16 2025 Archana Shettigar <[email protected]> - 2.71.0-5
+- Patch CVE-2025-3360
+
 * Thu Feb 13 2025 Ankita Pareek <[email protected]> - 2.71.0-4
 - Address CVE-2023-29499, CVE-2023-32643 and CVE-2023-32636
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -199,7 +199,7 @@ libxml2-devel-2.10.4-6.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
-glib-2.71.0-4.cm2.aarch64.rpm
+glib-2.71.0-5.cm2.aarch64.rpm
 libltdl-2.4.6-8.cm2.aarch64.rpm
 libltdl-devel-2.4.6-8.cm2.aarch64.rpm
 pcre-8.45-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -199,7 +199,7 @@ libxml2-devel-2.10.4-6.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
-glib-2.71.0-4.cm2.x86_64.rpm
+glib-2.71.0-5.cm2.x86_64.rpm
 libltdl-2.4.6-8.cm2.x86_64.rpm
 libltdl-devel-2.4.6-8.cm2.x86_64.rpm
 pcre-8.45-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -101,11 +101,11 @@ gdbm-lang-1.21-1.cm2.aarch64.rpm
 gettext-0.21-3.cm2.aarch64.rpm
 gettext-debuginfo-0.21-3.cm2.aarch64.rpm
 gfortran-11.2.0-8.cm2.aarch64.rpm
-glib-2.71.0-4.cm2.aarch64.rpm
-glib-debuginfo-2.71.0-4.cm2.aarch64.rpm
-glib-devel-2.71.0-4.cm2.aarch64.rpm
-glib-doc-2.71.0-4.cm2.noarch.rpm
-glib-schemas-2.71.0-4.cm2.aarch64.rpm
+glib-2.71.0-5.cm2.aarch64.rpm
+glib-debuginfo-2.71.0-5.cm2.aarch64.rpm
+glib-devel-2.71.0-5.cm2.aarch64.rpm
+glib-doc-2.71.0-5.cm2.noarch.rpm
+glib-schemas-2.71.0-5.cm2.aarch64.rpm
 glibc-2.35-7.cm2.aarch64.rpm
 glibc-debuginfo-2.35-7.cm2.aarch64.rpm
 glibc-devel-2.35-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -106,11 +106,11 @@ gdbm-lang-1.21-1.cm2.x86_64.rpm
 gettext-0.21-3.cm2.x86_64.rpm
 gettext-debuginfo-0.21-3.cm2.x86_64.rpm
 gfortran-11.2.0-8.cm2.x86_64.rpm
-glib-2.71.0-4.cm2.x86_64.rpm
-glib-debuginfo-2.71.0-4.cm2.x86_64.rpm
-glib-devel-2.71.0-4.cm2.x86_64.rpm
-glib-doc-2.71.0-4.cm2.noarch.rpm
-glib-schemas-2.71.0-4.cm2.x86_64.rpm
+glib-2.71.0-5.cm2.x86_64.rpm
+glib-debuginfo-2.71.0-5.cm2.x86_64.rpm
+glib-devel-2.71.0-5.cm2.x86_64.rpm
+glib-doc-2.71.0-5.cm2.noarch.rpm
+glib-schemas-2.71.0-5.cm2.x86_64.rpm
 glibc-2.35-7.cm2.x86_64.rpm
 glibc-debuginfo-2.35-7.cm2.x86_64.rpm
 glibc-devel-2.35-7.cm2.x86_64.rpm