Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1076603,
regarding bookworm-pu: package gtk+3.0/3.24.38-2~deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1076603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076603
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+...@packages.debian.org, secur...@debian.org,
debian-b...@lists.debian.org
Control: affects -1 + src:gtk+3.0
[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.
[ Impact ]
If not fixed, GTK 3 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 3 app is run from /tmp or a similarly attacker-controlled
directory.
[ Tests ]
In the GTK 3 currently in bookworm, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk3-widget-factory`
shows signs of attempting to load ./libfoobar.so:
newfstatat(AT_FDCWD, "libfoobar.so", 0x7ffc31c373e0, 0) = -1 ENOENT (No such
file or directory)
newfstatat(AT_FDCWD, "libfoobar.so.so", 0x7ffc31c373e0, 0) = -1 ENOENT (No such
file or directory)
newfstatat(AT_FDCWD, "libfoobar.so.la", 0x7ffc31c373e0, 0) = -1 ENOENT (No such
file or directory)
(gtk3-widget-factory is a sample GTK 3 application, from gtk-3-examples.)
In the proposed version, this no longer happens.
GTK 3 produces udebs, so officially it needs a d-i ack (debian-boot cc'd
for this); but in practice the graphical installer is still using GTK 2
even in testing/unstable, so I believe it would be OK to ship this
change without waiting for the d-i team's approval.
[ Risks ]
Low risk, straightforward backport of a targeted security fix.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes are part of the vulnerability fix.
diffstat for gtk+3.0-3.24.38 gtk+3.0-3.24.38
debian/changelog | 8 ++++
debian/patches/Stop-looking-for-modules-in-cwd.patch | 33 +++++++++++++++++++
debian/patches/series | 1
gtk/gtkmodules.c | 9 +----
4 files changed, 44 insertions(+), 7 deletions(-)
diff -Nru gtk+3.0-3.24.38/debian/changelog gtk+3.0-3.24.38/debian/changelog
--- gtk+3.0-3.24.38/debian/changelog 2023-09-09 20:30:40.000000000 +0100
+++ gtk+3.0-3.24.38/debian/changelog 2024-07-19 11:57:06.000000000 +0100
@@ -1,3 +1,11 @@
+gtk+3.0 (3.24.38-2~deb12u2) bookworm; urgency=medium
+
+ * d/p/Stop-looking-for-modules-in-cwd.patch:
+ Add patch backported from 3.24.43 to avoid looking for modules in
+ current working directory (CVE-2024-6655)
+
+ -- Simon McVittie <s...@debian.org> Fri, 19 Jul 2024 11:57:06 +0100
+
gtk+3.0 (3.24.38-2~deb12u1) bookworm; urgency=medium
* Rebuild new upstream release 3.24.38 for Debian 12
diff -Nru gtk+3.0-3.24.38/debian/patches/series gtk+3.0-3.24.38/debian/patches/series
--- gtk+3.0-3.24.38/debian/patches/series 2023-09-09 20:30:40.000000000 +0100
+++ gtk+3.0-3.24.38/debian/patches/series 2024-07-19 11:57:06.000000000 +0100
@@ -3,3 +3,4 @@
060_ignore-random-icons.patch
reftest_compare_surfaces-Report-how-much-the-images-diffe.patch
reftests-Allow-minor-differences-to-be-tolerated.patch
+Stop-looking-for-modules-in-cwd.patch
diff -Nru gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch
--- gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch 1970-01-01 01:00:00.000000000 +0100
+++ gtk+3.0-3.24.38/debian/patches/Stop-looking-for-modules-in-cwd.patch 2024-07-19 11:57:06.000000000 +0100
@@ -0,0 +1,33 @@
+From: Matthias Clasen <mcla...@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Bug-CVE: CVE-2024-6655
+Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412..f93101c 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+ gchar *module_name;
+
+ module_name = _gtk_find_module (name, "modules");
+- if (!module_name)
+- {
+- /* As last resort, try loading without an absolute path (using system
+- * library path)
+- */
+- module_name = g_module_build_path (NULL, name);
+- }
++ if (module_name == NULL)
++ return NULL;
+
+ module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+
diff -Nru gtk+3.0-3.24.38/gtk/gtkmodules.c gtk+3.0-3.24.38/gtk/gtkmodules.c
--- gtk+3.0-3.24.38/gtk/gtkmodules.c 2023-05-22 03:22:08.000000000 +0100
+++ gtk+3.0-3.24.38/gtk/gtkmodules.c 2024-07-19 13:32:39.000000000 +0100
@@ -214,13 +214,8 @@
gchar *module_name;
module_name = _gtk_find_module (name, "modules");
- if (!module_name)
- {
- /* As last resort, try loading without an absolute path (using system
- * library path)
- */
- module_name = g_module_build_path (NULL, name);
- }
+ if (module_name == NULL)
+ return NULL;
module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.7
Hi,
Each of these bugs relates to an update including in today's bookworm
12.7 point release.
Regards,
Adam
--- End Message ---
