From a8f6a353416e391271f17c3be84f044fcb840c6a Mon Sep 17 00:00:00 2001
From: aivong-openhands <ai.vong@openhands.dev>
Date: Thu, 19 Mar 2026 16:21:24 -0500
Subject: [PATCH] fix: patch GLib CVE-2025-14087 in runtime Docker images
 (#13403)

Co-authored-by: openhands <openhands@all-hands.dev>
---
 openhands/runtime/utils/runtime_templates/Dockerfile.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/openhands/runtime/utils/runtime_templates/Dockerfile.j2 b/openhands/runtime/utils/runtime_templates/Dockerfile.j2
index 9bf06c54b2..69eb841a9f 100644
--- a/openhands/runtime/utils/runtime_templates/Dockerfile.j2
+++ b/openhands/runtime/utils/runtime_templates/Dockerfile.j2
@@ -46,6 +46,9 @@ RUN apt-get update && \
     (apt-get install -y --no-install-recommends libgl1 || apt-get install -y --no-install-recommends libgl1-mesa-glx) && \
         # Install Docker dependencies
     apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl gnupg lsb-release && \
+    # Security upgrade: patch GLib CVE-2025-14087 (buffer underflow in GVariant parser)
+    (apt-get install -y --no-install-recommends --only-upgrade \
+        libglib2.0-0t64 libglib2.0-bin libglib2.0-dev libglib2.0-dev-bin || true) && \
     # Security upgrade: patch OpenSSL CVEs (CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, et al.)
     (apt-get install -y --no-install-recommends --only-upgrade \
         openssl openssl-provider-legacy libssl3t64 || true) && \