Bug#1060407: Multiple security issues

[Adrian Bunk]

On Wed, Jan 10, 2024 at 08:36:38PM +0100, Moritz Muehlenhoff wrote:
> Source: gtkwave
> Version: 3.3.116-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
> 
> A very thorough security audit of gtkwave unveiled a total of 82 security
> issues in gtkwave, all fixed in 3.3.118:
> 
> CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004
> CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703
> CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957
> CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961
> CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969
> CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994
> CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746
> CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915
> CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417
> CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442
> CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446
> CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575
> CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921
> CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618
> CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622
> CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650
> CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657
> CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271
> CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275
> CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414
> CVE-2023-39443 CVE-2023-39444
> 
> Let's first fix unstable and then we can simple build 3.3.118
> for stable-security and oldstable-security as well.
>...

I looked at it for LTS, and there are at least two issues to consider:


1. GTK 2 versus GTK 3

Between bullseye and bookworm the UI switched from GTK 2 to GTK 3.

The good news is that in buster both versions of 3.3.118 work with a 
small testcase.

The bad news is that upstream has different tarballs for GTK 2 and GTK 3.


2. ghwdump moved to ghdl-tools

The ghwdump tool (and manpage) was dropped in 3.3.110 from the upstream 
sources, and is now in ghdl-tools.


My suggestion would be that I do:

sid:
3.3.118-0.1 (or 3.3.118-1 if done by a maintainer)

bookworm:
3.3.118-0.1~deb12u1

bullseye:
3.3.104+really3.3.118-0.1 (GTK 2 and with ghwdump re-added)

buster:
3.3.104+really3.3.118-0.1~deb10u1 (or 3.3.98+really3.3.118-0.1)


Any comments?
Especially maintainer feedback would be appreciated.


> Cheers,
>         Moritz

cu
Adrian