Bug 2372666 (CVE-2025-6052)

Summary: CVE-2025-6052 glib: Integer overflow in g_string_maybe_expand() leading to potential buffer overflow in GLib GString
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, debarshir, kshier, omaciel, stcannon, wilfried.pascault, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2372670, 2372671, 2372672, 2372673    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-13 12:10:12 UTC 
An integer overflow vulnerability exists in the g_string_maybe_expand() function of the GLib library. When extremely large strings are used and more data is appended, an internal size calculation can wrap around, making the system incorrectly assume that there’s enough space in the buffer. This leads to a buffer overflow, causing memory corruption or a crash. Although difficult to exploit in practice due to the extremely large memory conditions required, this issue could be triggered remotely if an application accepts large untrusted input and uses GString for string operations.
Comment 1 Abhishek Raj 2025-06-13 12:38:39 UTC 
Affected versions: GLib 2.75.3 until 2.84.3
Comment 2 Wilfried P 2025-06-27 08:48:32 UTC 
(In reply to Abhishek Raj from comment #1)
> Affected versions: GLib 2.75.3 until 2.84.3

Hello.
Are you sure 2.84.3 is affected as well ?

If the fix is the following one:
https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2

Then it has been embedded into 2.85.1 [1] and 2.84.3 [2][3]

[1] https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2
[2] https://github.com/GNOME/glib/commit/37eecaa7efc48a0df22277444ff25ff791ac0ac1
[3] https://github.com/GNOME/glib/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b

Can you please confirm ?

Thanks
Comment 3 Debarshi Ray 2025-11-06 16:16:46 UTC 
(In reply to Wilfried P from comment #2)
> If the fix is the following one:
> https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2

Yes, that's the fix.

It caused a regression that was fixed in 2.85.2 with:
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4681
https://github.com/GNOME/glib/commit/e6b4c28bbaa381785ea319888278906454ff9e0e
Comment 4 Debarshi Ray 2025-11-06 16:27:13 UTC 
(In reply to Wilfried P from comment #2)

> If the fix is the following one:
> https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2
> 
> Then it has been embedded into 2.85.1 [1] and 2.84.3 [2][3]
> 
> [1]
> https://github.com/GNOME/glib/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2
> [3]
> https://github.com/GNOME/glib/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b

Yes, [3] is the backport of the fix for 2.84.x.