[AutoPR- Security] Patch glib for CVE-2026-58016, CVE-2026-58015, CVE-2026-58014, CVE-2026-58013, CVE-2026-58012, CVE-2026-58011, CVE-2026-58010 [HIGH]#17880
Conversation
Kanishk-Bansal
left a comment
There was a problem hiding this comment.
LGTM
Patch Analysis for CVE-2026-58016 (The critical logic fix matches upstream exactly:
if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0)) → if (stack->next != NULL && strcmp (stack->next->data, "node") != 0) (fixes the NULL-deref/short-circuit bug in the D-Bus introspection parser).)
- Buddy Build
- patch applied during the build (check
rpm.log) - patch include an upstream reference
- PR has security tag
🔒 CVE Patch Review: CVE-2026-58010, CVE-2026-58011, CVE-2026-58012, CVE-2026-58013, CVE-2026-58014, CVE-2026-58015, CVE-2026-58016PR #17880 — [AutoPR- Security] Patch glib for CVE-2026-58016, CVE-2026-58015, CVE-2026-58014, CVE-2026-58013, CVE-2026-58012, CVE-2026-58011, CVE-2026-58010 [HIGH] Spec File Validation
Build Verification
🤖 AI Build Log Analysis
🧪 Test Log AnalysisNo test log found (package may not have a %check section). Patch Analysis
Detailed analysisCore fix equivalence: yes. The authoritative upstream patch changes the conditional inside
|
Auto Patch glib for CVE-2026-58016, CVE-2026-58015, CVE-2026-58014, CVE-2026-58013, CVE-2026-58012, CVE-2026-58011, CVE-2026-58010.
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1150775&view=results
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology