Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: gtk+...@packages.debian.org, secur...@debian.org, debian-boot@lists.debian.org Control: affects -1 + src:gtk+3.0
[ Reason ] CVE-2024-6655. The security team has indicated that they do not intend to release a DSA for this vulnerability. [ Impact ] If not fixed, GTK 3 apps will load modules specified in $GTK_MODULES from the current working directory, which could be an exploitable vulnerability if a GTK 3 app is run from /tmp or a similarly attacker-controlled directory. [ Tests ] In the GTK 3 currently in bookworm, running e.g. `GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk3-widget-factory` shows signs of attempting to load ./libfoobar.so: newfstatat(AT_FDCWD, "libfoobar.so", 0x7ffc31c373e0, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "libfoobar.so.so", 0x7ffc31c373e0, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "libfoobar.so.la", 0x7ffc31c373e0, 0) = -1 ENOENT (No such file or directory) (gtk3-widget-factory is a sample GTK 3 application, from gtk-3-examples.) In the proposed version, this no longer happens. GTK 3 produces udebs, so officially it needs a d-i ack (debian-boot cc'd for this); but in practice the graphical installer is still using GTK 2 even in testing/unstable, so I believe it would be OK to ship this change without waiting for the d-i team's approval. [ Risks ] Low risk, straightforward backport of a targeted security fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] All changes are part of the vulnerability fix.
diffstat for gtk+3.0-3.24.38 gtk+3.0-3.24.38 debian/changelog | 8 ++++ debian/patches/Stop-looking-for-modules-in-cwd.patch | 33 +++++++++++++++++++ debian/patches/series | 1 gtk/gtkmodules.c | 9 +---- 4 files changed, 44 insertions(+), 7 deletions(-) diff -Nru gtk+3.0-3.24.38/debian/changelog gtk+3.0-3.24.38/debian/changelog --- gtk+3.0-3.24.38/debian/changelog 2023-09-09 20:30:40.000000000 +0100 +++ gtk+3.0-3.24.38/debian/changelog 2024-07-19 11:57:06.000000000 +0100 @@ -1,3 +1,11 @@ +gtk+3.0 (3.24.38-2~deb12u2) bookworm; urgency=medium + + * d/p/Stop-looking-for-modules-in-cwd.patch: + Add patch backported from 3.24.43 to avoid looking for modules in + current working directory (CVE-2024-6655) + + -- Simon McVittie <s...@debian.org> Fri, 19 Jul 2024 11:57:06 +0100 + gtk+3.0 (3.24.38-2~deb12u1) bookworm; urgency=medium * Rebuild new upstream release 3.24.38 for Debian 12 diff -Nru gtk+3.0-3.24.38/debian/patches/series gtk+3.0-3.24.38/debian/patches/series --- gtk+3.0-3.24.38/debian/patches/series 2023-09-09 20:30:40.000000000 +0100 +++ gtk+3.0-3.24.38/debian/patches/series 2024-07-19 11:57:06.000000000 +0100 @@ -3,3 +3,4 @@ 060_ignore-random-icons.patch reftest_compare_surfaces-Report-how-much-the-images-diffe.patch reftests-Allow-minor-differences-to-be-tolerated.patch +Stop-looking-for-modules-in-cwd.patch diff -Nru gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch --- gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch 1970-01-01 01:00:00.000000000 +0100 +++ gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch 2024-07-19 11:57:06.000000000 +0100 @@ -0,0 +1,33 @@ +From: Matthias Clasen <mcla...@redhat.com> +Date: Sat, 15 Jun 2024 14:18:01 -0400 +Subject: Stop looking for modules in cwd + +This is just not a good idea. It is surprising, and can be misused. + +Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786 +Bug-CVE: CVE-2024-6655 +Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 +--- + gtk/gtkmodules.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c +index 704e412..f93101c 100644 +--- a/gtk/gtkmodules.c ++++ b/gtk/gtkmodules.c +@@ -214,13 +214,8 @@ find_module (const gchar *name) + gchar *module_name; + + module_name = _gtk_find_module (name, "modules"); +- if (!module_name) +- { +- /* As last resort, try loading without an absolute path (using system +- * library path) +- */ +- module_name = g_module_build_path (NULL, name); +- } ++ if (module_name == NULL) ++ return NULL; + + module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY); + diff -Nru gtk+3.0-3.24.38/gtk/gtkmodules.c gtk+3.0-3.24.38/gtk/gtkmodules.c --- gtk+3.0-3.24.38/gtk/gtkmodules.c 2023-05-22 03:22:08.000000000 +0100 +++ gtk+3.0-3.24.38/gtk/gtkmodules.c 2024-07-19 13:32:39.000000000 +0100 @@ -214,13 +214,8 @@ gchar *module_name; module_name = _gtk_find_module (name, "modules"); - if (!module_name) - { - /* As last resort, try loading without an absolute path (using system - * library path) - */ - module_name = g_module_build_path (NULL, name); - } + if (module_name == NULL) + return NULL; module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);