glib: fix UB in VariantStrIter::impl_get#1343
Merged
sdroege merged 1 commit intogtk-rs:masterfrom Mar 30, 2024
decathorpe:master
Merged
glib: fix UB in VariantStrIter::impl_get#1343sdroege merged 1 commit intogtk-rs:masterfrom decathorpe:master
sdroege merged 1 commit intogtk-rs:masterfrom
decathorpe:master
Conversation
Passing an immutable reference (&p) to a function that mutates the data behind the pointer violates Rust's invariants.
sdroege
approved these changes
Mar 30, 2024
sdroege
added
the
needs-backport
Member
|
Thanks! |
pbor
added
backported
This was referenced Dec 24, 2024
This was referenced Sep 9, 2025
4 tasks
ggrossman
added a commit
to Quickture/gtk-rs-core
that referenced
this pull request
Jan 18, 2026
Change impl_get to use mutable reference for pointer parameter. The g_variant_get_child C function mutates the pointer passed as an out-parameter. Passing an immutable reference (&p) is unsound because it violates Rust's aliasing rules. With recent compiler optimizations, these unsound writes were being ignored, causing NULL pointer dereferences when the iterator was used. Fix: Change 'let p' to 'let mut p' and pass '&mut p' instead of '&p' to g_variant_get_child. This backports the fix from gtk-rs-core PR gtk-rs#1343 to the 0.18 branch. Fixes: https://rustsec.org/advisories/RUSTSEC-2024-0429 Upstream-Fix: gtk-rs#1343
ggrossman
added a commit
to Quickture/gtk-rs-core
that referenced
this pull request
Jan 18, 2026
The RUSTSEC advisory specifies that patched versions are >= 0.20.0. While this is based on glib 0.18.5, it includes the fix from PR gtk-rs#1343 backported from 0.20.0. Bumping the version number allows vulnerability scanners to correctly identify this as patched. This is a Quickture-specific change to satisfy Oneleet's version-based vulnerability scanning.
doublegate
added a commit
to doublegate/SPECTRE
that referenced
this pull request
Feb 6, 2026
Add comprehensive documentation for glib unsoundness vulnerability affecting Linux GUI builds. This is an accepted risk due to upstream Tauri dependencies. Changes: - SECURITY.md: Added "Known Limitations" section with detailed analysis - CHANGELOG.md: Documented the security advisory in [Unreleased] section Advisory Details: - ID: GHSA-wrw7-89jp-8q8g / RUSTSEC-2024-0429 - Severity: Medium (CVSS 6.9) - Component: glib v0.18.5 (via Tauri 2.10.2 → GTK3) - Platform: Linux only (macOS/Windows unaffected) - Impact: LOW exploitability - crashes rather than RCE Root Cause: - Tauri 2.10.2 depends on webkit2gtk v2.0.2 - webkit2gtk v2.0.2 requires GTK3 (gtk v0.18.2, UNMAINTAINED) - GTK3 bindings locked to glib v0.18.x (vulnerable versions: 0.15.0-0.19.x) - Fix requires glib v0.20.0+ which needs GTK4 migration Fix Status: - Cannot upgrade glib without breaking GTK3 dependencies - GTK4 migration requires Tauri v3 (in development) - Monitoring: tauri-apps/tauri#7335 Mitigation: - CLI/TUI interfaces unaffected (no GTK dependencies) - GUI code path doesn't directly use vulnerable VariantStrIter - Users advised to use CLI/TUI for mission-critical operations References: - GitHub Advisory: GHSA-wrw7-89jp-8q8g - RustSec: https://rustsec.org/advisories/RUSTSEC-2024-0429 - Fix PR: gtk-rs/gtk-rs-core#1343 - Tauri Issue: tauri-apps/tauri#12048 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bb111189
added a commit
to jiayaoqijia/ClawSecurity
that referenced
this pull request
Feb 12, 2026
…nsoundness) Use [patch.crates-io] to redirect glib to alt-research/gtk-rs-core 0.18-patched branch, which backports the fix from gtk-rs/gtk-rs-core#1343. Upstream only patched glib >= 0.20.0, but Tauri 2.x depends on the gtk-rs 0.18.x ecosystem. The fix is a two-line change (immutable to mutable reference in VariantStrIter::impl_get).
2 tasks
This was referenced Mar 2, 2026
This was referenced Mar 28, 2026
tidynest
added a commit
to tidynest/gtk-rs-core
that referenced
this pull request
Apr 7, 2026
Pass pointer as &mut p instead of &p to g_variant_get_child to fix undefined behaviour that causes NULL pointer dereferences with optimized builds on recent Rust compilers. Backport of gtk-rs#1343 to the 0.18 branch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Passing an immutable reference (&p) to a function that mutates the data behind the pointer violates Rust's invariants.
This causes multiple tests in the test suite to crash when compiling it with optimizations (either
--releasemode or withopt-levelof 2 or 3) with recent Rust versions, which is easy to reproduce, especially with nightly Rust:Looks like this wasn't caught earlier because the wrapped C function is variadic and there's less type checking happening because of that.