Your message dated Sat, 31 Aug 2024 12:30:55 +0100 with message-id <27c418b1a49ffc566f1b9635359e59f6a742be26.ca...@adam-barratt.org.uk> and subject line Closing bugs for 11.11 has caused the Debian Bug report #1076609, regarding bullseye-pu: package gtk+3.0/3.24.24-4+deb11u4 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1076609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076609 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: gtk+...@packages.debian.org, secur...@debian.org, debian-b...@lists.debian.org Control: affects -1 + src:gtk+3.0 [ Reason ] CVE-2024-6655. The security team has indicated that they do not intend to release a DSA for this vulnerability. [ Impact ] If not fixed, GTK 3 apps will load modules specified in $GTK_MODULES from the current working directory, which could be an exploitable vulnerability if a GTK 3 app is run from /tmp or a similarly attacker-controlled directory. [ Tests ] Briefly tested in a Debian 11 GNOME VM, no obvious regression. In the GTK 3 currently in bullseye, running e.g. `GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk3-widget-factory` shows signs of attempting to load ./libfoobar.so: stat("libfoobar.so", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory) stat("libfoobar.so.so", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory) stat("libfoobar.so.la", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory) (gtk3-widget-factory is a sample GTK 3 application, from gtk-3-examples.) In the proposed version, this no longer happens. [ Risks ] Low risk, straightforward backport of a targeted security fix. One risk here is that Debian 11.11 is intended to be its last scheduled point release, so if this somehow causes a regression, there will be no more point releases in which the regression can be fixed, and it will be up to the LTS team to deal with the fallout. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] All changes are part of the vulnerability fix. [ Other info ] GTK 3 produces udebs, so officially it needs a d-i ack (debian-boot cc'd for this); but in practice the graphical installer is still using GTK 2 even in testing/unstable, so I believe it would be OK to ship this change without waiting for the d-i team's approval.diffstat for gtk+3.0-3.24.24 gtk+3.0-3.24.24 debian/changelog | 8 ++++ debian/patches/Stop-looking-for-modules-in-cwd.patch | 33 +++++++++++++++++++ debian/patches/series | 1 gtk/gtkmodules.c | 9 +---- 4 files changed, 44 insertions(+), 7 deletions(-) diff -Nru gtk+3.0-3.24.24/debian/changelog gtk+3.0-3.24.24/debian/changelog --- gtk+3.0-3.24.24/debian/changelog 2023-02-24 19:07:01.000000000 +0000 +++ gtk+3.0-3.24.24/debian/changelog 2024-07-19 14:30:18.000000000 +0100 @@ -1,3 +1,11 @@ +gtk+3.0 (3.24.24-4+deb11u4) bullseye; urgency=medium + + * d/p/Stop-looking-for-modules-in-cwd.patch: + Add patch backported from 3.24.43 to avoid looking for modules in + current working directory (CVE-2024-6655) + + -- Simon McVittie <s...@debian.org> Fri, 19 Jul 2024 14:30:18 +0100 + gtk+3.0 (3.24.24-4+deb11u3) bullseye; urgency=medium * d/p/gdk_wayland_display_init_gl-use-GLES-API-if-required.patch: diff -Nru gtk+3.0-3.24.24/debian/patches/series gtk+3.0-3.24.24/debian/patches/series --- gtk+3.0-3.24.24/debian/patches/series 2023-02-24 19:07:01.000000000 +0000 +++ gtk+3.0-3.24.24/debian/patches/series 2024-07-19 14:30:18.000000000 +0100 @@ -27,3 +27,4 @@ Don-t-try-to-create-local-cups-printers-before-CUPS-2.2.patch debian/cups-Use-the-same-name-mangling-as-Debian-11-s-cups-brows.patch gdk_wayland_display_init_gl-use-GLES-API-if-required.patch +Stop-looking-for-modules-in-cwd.patch diff -Nru gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch --- gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch 1970-01-01 01:00:00.000000000 +0100 +++ gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch 2024-07-19 14:30:18.000000000 +0100 @@ -0,0 +1,33 @@ +From: Matthias Clasen <mcla...@redhat.com> +Date: Sat, 15 Jun 2024 14:18:01 -0400 +Subject: Stop looking for modules in cwd + +This is just not a good idea. It is surprising, and can be misused. + +Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786 +Bug-CVE: CVE-2024-6655 +Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 +--- + gtk/gtkmodules.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c +index 704e412..f93101c 100644 +--- a/gtk/gtkmodules.c ++++ b/gtk/gtkmodules.c +@@ -214,13 +214,8 @@ find_module (const gchar *name) + gchar *module_name; + + module_name = _gtk_find_module (name, "modules"); +- if (!module_name) +- { +- /* As last resort, try loading without an absolute path (using system +- * library path) +- */ +- module_name = g_module_build_path (NULL, name); +- } ++ if (module_name == NULL) ++ return NULL; + + module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY); + diff -Nru gtk+3.0-3.24.24/gtk/gtkmodules.c gtk+3.0-3.24.24/gtk/gtkmodules.c --- gtk+3.0-3.24.24/gtk/gtkmodules.c 2020-12-02 22:21:56.000000000 +0000 +++ gtk+3.0-3.24.24/gtk/gtkmodules.c 2024-07-19 15:46:41.000000000 +0100 @@ -214,13 +214,8 @@ gchar *module_name; module_name = _gtk_find_module (name, "modules"); - if (!module_name) - { - /* As last resort, try loading without an absolute path (using system - * library path) - */ - module_name = g_module_build_path (NULL, name); - } + if (module_name == NULL) + return NULL; module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.11 Hi, Each of these bugs relates to an update including in today's final bullseye 11.11 point release. Regards, Adam
--- End Message ---
