Merge branch 'main' into topic_glib-2.0

Author: archana25-ms

SPECS/glib/CVE-2025-14087.patch

@@ -0,0 +1,70 @@
+From 487e062de90850689f14ca3d55cbdb9088d41bde Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:02:56 +0000
+Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
+ (byte)strings
+
+The termination condition for parsing string and bytestring literals in
+GVariant text format input was subject to an integer overflow for input
+string (or bytestring) literals longer than `INT_MAX`.
+
+Fix that by counting as a `size_t` rather than as an `int`. The counter
+can never correctly be negative.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3834
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/glib/-/commit/3e72fe0fbb32c18a66486c4da8bc851f656af287.patch
+---
+ glib/gvariant-parser.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index bb5238b..af6527d 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -594,7 +594,7 @@ ast_resolve (AST     *ast,
+ {
+   GVariant *value;
+   gchar *pattern;
+-  gint i, j = 0;
++  size_t i, j = 0;
+ 
+   pattern = ast_get_pattern (ast, error);
+ 
+@@ -1555,9 +1555,9 @@ string_free (AST *ast)
+  * No leading/trailing space allowed. */
+ static gboolean
+ unicode_unescape (const gchar  *src,
+-                  gint         *src_ofs,
++                  size_t       *src_ofs,
+                   gchar        *dest,
+-                  gint         *dest_ofs,
++                  size_t       *dest_ofs,
+                   gsize         length,
+                   SourceRef    *ref,
+                   GError      **error)
+@@ -1618,7 +1618,7 @@ string_parse (TokenStream  *stream,
+   gsize length;
+   gchar quote;
+   gchar *str;
+-  gint i, j;
++  size_t i, j;
+ 
+   token_stream_start_ref (stream, &ref);
+   token = token_stream_get (stream);
+@@ -1748,7 +1748,7 @@ bytestring_parse (TokenStream  *stream,
+   gsize length;
+   gchar quote;
+   gchar *str;
+-  gint i, j;
++  size_t i, j;
+ 
+   token_stream_start_ref (stream, &ref);
+   token = token_stream_get (stream);
+-- 
+2.45.4
+

SPECS/glib/CVE-2025-14512.patch

@@ -0,0 +1,71 @@
+From eaa4ef68c5ae930857e94f4c28c2fb3559b2660e Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 4 Dec 2025 16:37:19 +0000
+Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
+ byte strings
+
+The number of invalid characters in the byte string (characters which
+would have to be percent-encoded) was only stored in an `int`, which
+gave the possibility of a long string largely full of invalid
+characters overflowing this and allowing an attacker-controlled buffer
+size to be allocated.
+
+This could be triggered by an attacker controlled file attribute (of
+type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
+`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
+being read by user code.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3845
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/glib/-/commit/4f0399c0aaf3ffc86b5625424580294bc7460404.patch
+---
+ gio/gfileattribute.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
+index 8075d1d..b14e5fa 100644
+--- a/gio/gfileattribute.c
++++ b/gio/gfileattribute.c
+@@ -20,6 +20,7 @@
+ 
+ #include "config.h"
+ 
++#include <stdint.h>
+ #include <string.h>
+ 
+ #include "gfileattribute.h"
+@@ -271,11 +272,12 @@ valid_char (char c)
+   return c >= 32 && c <= 126 && c != '\\';
+ }
+ 
++/* Returns NULL on error */
+ static char *
+ escape_byte_string (const char *str)
+ {
+   size_t i, len;
+-  int num_invalid;
++  size_t num_invalid;
+   char *escaped_val, *p;
+   unsigned char c;
+   const char hex_digits[] = "0123456789abcdef";
+@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
+     return g_strdup (str);
+   else
+     {
+-      escaped_val = g_malloc (len + num_invalid*3 + 1);
++      /* Check for overflow. We want to check the inequality:
++       * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
++      if (num_invalid >= (SIZE_MAX - len) / 3)
++        return NULL;
++
++      escaped_val = g_malloc (len + num_invalid * 3 + 1);
+ 
+       p = escaped_val;
+       for (i = 0; i < len; i++)
+-- 
+2.45.4
+

SPECS/glib/glib.spec

@@ -2,7 +2,7 @@
 Summary:        Low-level libraries useful for providing data structure handling for C.
 Name:           glib
 Version:        2.71.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,7 +17,9 @@ Patch3:         CVE-2025-3360.patch
 Patch4:         CVE-2025-4373.patch
 Patch5:         CVE-2025-7039.patch
 Patch6:         CVE-2025-13601.patch
-Patch7:         CVE-2024-34397.patch
+Patch7:         CVE-2025-14087.patch
+Patch8:         CVE-2025-14512.patch
+Patch9:         CVE-2024-34397.patch
 BuildRequires:  cmake
 BuildRequires:  gtk-doc
 BuildRequires:  libffi-devel
@@ -131,9 +133,12 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
-* Mon Dec 22 2025 Archana Shettigar <v-shettigara@microsoft.com> - 2.71.0-9
+* Mon Dec 22 2025 Archana Shettigar <v-shettigara@microsoft.com> - 2.71.0-10
 - Patch CVE-2024-34397
 
+* Mon Dec 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.71.0-9
+- Patch for CVE-2025-14512, CVE-2025-14087
+
 * Sat Nov 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.71.0-8
 - Patch for CVE-2025-13601
 

SPECS/hdf5/CVE-2025-2153.patch

@@ -0,0 +1,43 @@
+From 4be883f34d8906bd907dcf0ddb17d47dad5357d3 Mon Sep 17 00:00:00 2001
+From: Glenn Song <gsong@hdfgroup.org>
+Date: Mon, 8 Sep 2025 17:06:52 -0500
+Subject: [PATCH 01/14] Add release text
+
+Upstream patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5795.patch
+---
+ src/H5Ocache.c   | 4 ++--
+ src/H5Omessage.c | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 87f321c..12c30cf 100644
+--- a/src/H5Ocache.c
++++ b/src/H5Ocache.c
+@@ -1399,8 +1399,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+             else {
+                 /* Check for message of unshareable class marked as "shareable"
+                  */
+-                if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] &&
+-                    !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
++                if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) &&
++                    H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
+                     HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL,
+                                 "message of unshareable class flagged as shareable");
+ 
+diff --git a/src/H5Omessage.c b/src/H5Omessage.c
+index 7190e46..fb9006c 100644
+--- a/src/H5Omessage.c
++++ b/src/H5Omessage.c
+@@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m
+          */
+         assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE));
+ 
++        /* Sanity check to see if the type is not sharable */
++        assert(type->share_flags & H5O_SHARE_IS_SHARABLE);
++
+         /* Remove the old message from the SOHM index */
+         /* (It would be more efficient to try to share the message first, then
+          *      delete it (avoiding thrashing the index in the case the ref.
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2310.patch

@@ -0,0 +1,37 @@
+From 2af87ef880bf562f1607aa7b6559e5c596cc0233 Mon Sep 17 00:00:00 2001
+From: Matthew Larson <matthewjlar@gmail.com>
+Date: Wed, 24 Sep 2025 15:26:20 -0500
+Subject: [PATCH 1/4] Add null-termination check during attr decode
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5872.patch
+---
+ src/H5Oattr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hdf5-1.14.6/src/H5Oattr.c b/hdf5-1.14.6/src/H5Oattr.c
+index 6d1d237..7bdaef7 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
+     if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, name_len); /* Including null */
++
++    /* Verify that retrieved name length (including null byte) is valid */
++    if (name_len <= 1)
++        HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
++
+     if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, attr->shared->dt_size);
+@@ -190,6 +195,7 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
+      */
+     if (H5_IS_BUFFER_OVERFLOW(p, name_len, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
++   
+     if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
+         HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed");
+ 
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2914.patch

@@ -0,0 +1,47 @@
+From 54f404b5ad8e63d99e3283646b543b2842a22fd3 Mon Sep 17 00:00:00 2001
+From: Binh-Minh <bmribler@hdfgroup.org>
+Date: Tue, 12 Aug 2025 20:06:42 -0400
+Subject: [PATCH] Refix of the attempts in PR-5209
+
+This PR addresses the root cause of the issue by adding a sanity-check immediately
+after reading the file space page size from the file.
+
+The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability
+had occurred and that an error indicating a corrupted file space page size replaced it.
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5722.patch
+---
+ src/H5Fsuper.c  | 2 ++
+ src/H5Ofsinfo.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
+index d9fe3a7..1c8dc6c 100644
+--- a/src/H5Fsuper.c
++++ b/src/H5Fsuper.c
+@@ -746,6 +746,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read)
+             if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) {
+                 H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */
+ 
++                memset(&fsinfo, 0, sizeof(H5O_fsinfo_t));
++
+                 /* f->shared->null_fsm_addr: Whether to drop free-space to the floor */
+                 /* The h5clear tool uses this property to tell the library
+                  * to drop free-space to the floor
+diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c
+index 5b69235..2bb6ea6 100644
+--- a/src/H5Ofsinfo.c
++++ b/src/H5Ofsinfo.c
+@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
+         if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+         H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */
++        /* Basic sanity check */
++        if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX)
++            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info");
+ 
+         if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2924.patch

@@ -0,0 +1,36 @@
+From 422035e1c0a30f3b363a3994e62ac46f92db9b75 Mon Sep 17 00:00:00 2001
+From: Glenn Song <gsong@hdfgroup.org>
+Date: Thu, 11 Sep 2025 16:24:33 -0500
+Subject: [PATCH 1/4] Add to sanity check
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5814.patch
+---
+ src/H5HLcache.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index d0836fe..7f412d2 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
+     /* check arguments */
+     assert(heap);
+     assert(!heap->freelist);
++    HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
+ 
+     /* Build free list */
+     free_block = heap->free_block;
+@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap)
+         const uint8_t *image; /* Pointer into image buffer */
+ 
+         /* Sanity check */
++
++        if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
++            HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
++
+         if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
+ 
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2925.patch

@@ -0,0 +1,43 @@
+From c731305ad3717924a9f48d4e4929956e80ce2cb3 Mon Sep 17 00:00:00 2001
+From: Glenn Song <gsong@hdfgroup.org>
+Date: Thu, 21 Aug 2025 11:36:23 -0500
+Subject: [PATCH 01/10] Fix issue5383
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5739.patch
+---
+ src/H5Centry.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/H5Centry.c b/src/H5Centry.c
+index 1ca7479..aedcad8 100644
+--- a/src/H5Centry.c
++++ b/src/H5Centry.c
+@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f,
+          */
+         do {
+             if (actual_len != len) {
++	         /* Verify that the length isn't a bad value  */
++                if (len == 0)
++		    HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");
++
+                 if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
+                     HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                 image = (uint8_t *)new_image;
++
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                 H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif        /* H5C_DO_MEMORY_SANITY_CHECKS */
+@@ -1104,6 +1109,10 @@ H5C__load_entry(H5F_t *f,
+                     if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
+                         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");
+ 
++                    /* Verify that the length isn't 0  */
++                    if (actual_len == 0)
++                        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
++
+                     /* Expand buffer to new size */
+                     if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
+                         HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+-- 
+2.45.4
+