[continued from previous message] 
  
 +-  gint64 now_us; 
 +-  static int counter = 0; 
 ++  guint64 value; 
 ++  guint64 now_us; 
 ++  static guint counter = 0; 
 + 
 +   g_return_val_if_fail (tmpl != NULL, -1); 
 + 
 +@@ -1504,7 +1504,7 @@ get_tmp_file (gchar            *tmpl, 
 + 
 +   for (count = 0; count < 100; value += 7777, ++count) 
 +     { 
 +-      gint64 v = value; 
 ++      guint64 v = value; 
 + 
 +       /* Fill in the random bits.  */ 
 +       XXXXXX[0] = letters[v % NLETTERS]; 
 diff -Nru glib2.0-2.74.6/debian/patches/glib-gfileutils.c-use-64 
 bits-for-value-in-get_tmp_file.patch glib2.0-2.74.6/debian/patch 
 s/glib-gfileutils.c-use-64-bits-for-value-in-get_tmp_file.patch 
 --- glib2.0-2.74.6/debian/patches/glib-gfileutils.c-use-64-bits- 
 or-value-in-get_tmp_file.patch 1970-01-01 01:00:00.000000000 +0100 
 +++ glib2.0-2.74.6/debian/patches/glib-gfileutils.c-use-64-bits- 
 or-value-in-get_tmp_file.patch 2025-08-18 09:27:51.000000000 +0100 
 @@ -0,0 +1,40 @@ 
 +From: Alexander Kanavin  
 +Date: Tue, 22 Aug 2023 19:57:48 +0200 
 +Subject: glib/gfileutils.c: use 64 bits for value in get_tmp_file() 
 + 
 +On 32 bit systems 'long' value will overflow in 2038 and become negative. 
 +As it is used to index into letters array, and % operation preserves signs, 
 +data corruption will then occur. 
 + 
 +[This change makes the patch for CVE-2025-7039 apply cleanly -smcv] 
 + 
 +Signed-off-by: Alexander Kanavin  
 +Origin: upstream, 2.77.3, commit:285db475ecaa4d2cc39ce326b4c63aacb87ca6ad 
 +Origin: upstream, 2.76.5, commit:b4d60ba1367f15843577d4363b32fb16847b9582 
 +Bug-CVE: CVE-2025-7039 
 +--- 
 + glib/gfileutils.c | 4 ++-- 
 + 1 file changed, 2 insertions(+), 2 deletions(-) 
 + 
 +diff --git a/glib/gfileutils.c b/glib/gfileutils.c 
 +index 722575e..22c04e1 100644 
 +--- a/glib/gfileutils.c 
 ++++ b/glib/gfileutils.c 
 +@@ -1483,7 +1483,7 @@ get_tmp_file (gchar            *tmpl, 
 +   static const char letters[] = 
 +     "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 
 +   static const int NLETTERS = sizeof (letters) - 1; 
 +-  glong value; 
 ++  gint64 value; 
 +   gint64 now_us; 
 +   static int counter = 0; 
 + 
 +@@ -1504,7 +1504,7 @@ get_tmp_file (gchar            *tmpl, 
 + 
 +   for (count = 0; count < 100; value += 7777, ++count) 
 +     { 
 +-      glong v = value; 
 ++      gint64 v = value; 
 + 
 +       /* Fill in the random bits.  */ 
 +       XXXXXX[0] = letters[v % NLETTERS]; 
 diff -Nru glib2.0-2.74.6/debian/patches/gstring-carefully-handle 
 gssize-parameters.patch glib2.0-2.74.6/debian/patches/gstring-ca 
 efully-handle-gssize-parameters.patch 
 --- glib2.0-2.74.6/debian/patches/gstring-carefully-handle-gssiz 
 -parameters.patch 1970-01-01 01:00:00.000000000 +0100 
 +++ glib2.0-2.74.6/debian/patches/gstring-carefully-handle-gssiz 
 -parameters.patch 2025-08-18 09:27:51.000000000 +0100 
 @@ -0,0 +1,119 @@ 
 +From: Michael Catanzaro  
 +Date: Mon, 28 Apr 2025 16:03:08 +0000 
 +Subject: gstring: carefully handle gssize parameters 
 + 
 +Wherever we use gssize to allow passing -1, we need to ensure we don't 
 +overflow the value by assigning a gsize to it without checking if the 
 +size exceeds the maximum gssize. The safest way to do this is to just 
 +use normal gsize everywhere instead and use gssize only for the 
 +parameter. 
 + 
 +Our computers don't have enough RAM to write tests for this. I tried 
 +forcing string->len to high values for test purposes, but this isn't 
 +valid and will just cause out of bounds reads/writes due to 
 +string->allocated_len being unexpectedly small, so I don't think we can 
 +test this easily. 
 + 
 +(cherry picked from commit cc647f9e46d55509a93498af19659baf9c80f2e3) 
 + 
 +Co-authored-by: Michael Catanzaro  
 +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3677 
 +Bug-CVE: CVE-2025-4373 
 +Bug-Debian: https://bugs.debian.org/1104930 
 +Origin: upstream, 2.84.2, commit:a47dc889463d73dd47ad428ac217e3d84f28e242 
 +--- 
 + glib/gstring.c | 36 +++++++++++++++++++++++------------- 
 + 1 file changed, 23 insertions(+), 13 deletions(-) 
 + 
 +diff --git a/glib/gstring.c b/glib/gstring.c 
 +index 6abb70b..1a79759 100644 
 +--- a/glib/gstring.c 
 ++++ b/glib/gstring.c 
 +@@ -426,8 +426,9 @@ g_string_insert_len (GString     *string, 
 +     return string; 
 + 
 +   if (len < 0) 
 +-    len = strlen (val); 
 +-  len_unsigned = len; 
 ++    len_unsigned = strlen (val); 
 ++  else 
 ++    len_unsigned = len; 
 + 
 +   if (pos < 0) 
 +     pos_unsigned = string->len; 
 +@@ -725,10 +726,12 @@ g_string_insert_c (GString *string, 
 +   g_string_maybe_expand (string, 1); 
 + 
 +   if (pos < 0) 
 +-    pos = string->len; 
 ++    pos_unsigned = string->len; 
 +   else 
 +-    g_return_val_if_fail ((gsize) pos <= string->len, string); 
 +-  pos_unsigned = pos; 
 ++    { 
 ++      pos_unsigned = pos; 
 ++      g_return_val_if_fail (pos_unsigned <= string->len, string); 
 ++    } 
 + 
 +   /* If not just an append, move the old stuff */ 
 +   if (pos_unsigned < string->len) 
 +@@ -761,6 +764,7 @@ g_string_insert_unichar (GString  *string, 
 +                          gssize    pos, 
 +                          gunichar  wc) 
 + { 
 ++  gsize pos_unsigned; 
 +   gint charlen, first, i; 
 +   gchar *dest; 
 + 
 +@@ -802,15 +806,18 @@ g_string_insert_unichar (GString  *string, 
 +   g_string_maybe_expand (string, charlen); 
 + 
 +   if (pos < 0) 
 +-    pos = string->len; 
 ++    pos_unsigned = string->len; 
 +   else 
 +-    g_return_val_if_fail ((gsize) pos <= string->len, string); 
 ++    { 
 ++      pos_unsigned = pos; 
 ++      g_return_val_if_fail (pos_unsigned <= string->len, string); 
 ++    } 
 + 
 +   /* If not just an append, move the old stuff */ 
 +-  if ((gsize) pos < string->len) 
 +-    memmove (string->str + pos + charlen, string->str + pos, string->len - 
 pos); 
 ++  if (pos_unsigned < string->len) 
 ++    memmove (string->str + pos_unsigned + charlen, string->str + 
 pos_unsigned, string->len - pos_unsigned); 
 + 
 +-  dest = string->str + pos; 
 ++  dest = string->str + pos_unsigned; 
 +   /* Code copied from g_unichar_to_utf() */ 
 +   for (i = charlen - 1; i > 0; --i) 
 +     { 
 +@@ -868,6 +875,7 @@ g_string_overwrite_len (GString     *string, 
 +                         const gchar *val, 
 +                         gssize       len) 
 + { 
 ++  gssize len_unsigned; 
 +   gsize end; 
 + 
 +   g_return_val_if_fail (string != NULL, NULL); 
 +@@ -879,14 +887,16 @@ g_string_overwrite_len (GString     *string, 
 +   g_return_val_if_fail (pos <= string->len, string); 
 + 
 +   if (len < 0) 
 +-    len = strlen (val); 
 ++    len_unsigned = strlen (val); 
 ++  else 
 ++    len_unsigned = len; 
 + 
 +-  end = pos + len; 
 ++  end = pos + len_unsigned; 
 + 
 +   if (end > string->len) 
 +     g_string_maybe_expand (string, end - string->len); 
 + 
 +-  memcpy (string->str + pos, val, len); 
 ++  memcpy (string->str + pos, val, len_unsigned); 
 + 
 +   if (end > string->len) 
 +     { 
 diff -Nru glib2.0-2.74.6/debian/patches/gstring-Make-len_unsigne 
 -unsigned.patch glib2.0-2.74.6/debian/patches/gstring-Make-len_u 
 signed-unsigned.patch 
 --- glib2.0-2.74.6/debian/patches/gstring-Make-len_unsigned-unsi 
 ned.patch 1970-01-01 01:00:00.000000000 +0100 
 +++ glib2.0-2.74.6/debian/patches/gstring-Make-len_unsigned-unsi 
 ned.patch 2025-08-18 09:27:51.000000000 +0100 
 @@ -0,0 +1,25 @@ 
 +From: Peter Bloomfield  
 +Date: Fri, 11 Apr 2025 05:52:33 +0000 
 +Subject: gstring: Make len_unsigned unsigned 
 + 
 +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/3677 
 +Bug-CVE: CVE-2025-4373 
 +Bug-Debian: https://bugs.debian.org/1104930 
 +Origin: upstream, 2.84.2, commit:f32f4aea514e39086a2627e9483d841c9eeb9bc3 
 +--- 
 + glib/gstring.c | 2 +- 
  
 [continued in next message] 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)