Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1076596,
regarding bookworm-pu: package gtk+2.0/2.24.33-2+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1076596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+...@packages.debian.org, secur...@debian.org
Control: affects -1 + src:gtk+2.0
[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.
[ Impact ]
If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 2 app is run from /tmp or a similarly attacker-controlled
directory.
[ Tests ]
In the GTK 2 currently in bookworm, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of
attempting to load ./libfoobar.so:
newfstatat(AT_FDCWD, "libfoobar.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such
file or directory)
newfstatat(AT_FDCWD, "libfoobar.so.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such
file or directory)
newfstatat(AT_FDCWD, "libfoobar.so.la", 0x7ffefb821f70, 0) = -1 ENOENT (No such
file or directory)
In the proposed version, this no longer happens.
(gtk-demo is a sample GTK 2 application, from gtk2.0-examples.)
[ Risks ]
Low risk, straightforward backport of a targeted security fix.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
d/patches: The vulnerability fix.
d/control, d/gbp.conf: Package release administrivia.
diffstat for gtk+2.0-2.24.33 gtk+2.0-2.24.33
debian/changelog | 11 +++++++++++
debian/control | 2 +-
debian/control.in | 4 ++--
debian/gbp.conf | 2 +-
debian/patches/CVE-2024-6655.patch | 35 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
gtk/gtkmodules.c | 9 ++-------
7 files changed, 53 insertions(+), 11 deletions(-)
diff -Nru gtk+2.0-2.24.33/debian/changelog gtk+2.0-2.24.33/debian/changelog
--- gtk+2.0-2.24.33/debian/changelog 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/changelog 2024-07-19 11:57:02.000000000 +0100
@@ -1,3 +1,14 @@
+gtk+2.0 (2.24.33-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * d/control.in, d/gbp.conf: Set packaging branch for Debian 12 updates
+ * d/control.in: Freeze previous Uploaders
+ * d/p/CVE-2024-6655.patch:
+ Add patch backported from 3.24.43 to avoid looking for modules in
+ current working directory (CVE-2024-6655)
+
+ -- Simon McVittie <s...@debian.org> Fri, 19 Jul 2024 11:57:02 +0100
+
gtk+2.0 (2.24.33-2) unstable; urgency=medium
* Team upload
diff -Nru gtk+2.0-2.24.33/debian/control gtk+2.0-2.24.33/debian/control
--- gtk+2.0-2.24.33/debian/control 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/control 2024-07-19 11:57:02.000000000 +0100
@@ -50,7 +50,7 @@
Rules-Requires-Root: no
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bookworm
Homepage: http://www.gtk.org/
Package: libgtk2.0-0
diff -Nru gtk+2.0-2.24.33/debian/control.in gtk+2.0-2.24.33/debian/control.in
--- gtk+2.0-2.24.33/debian/control.in 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/control.in 2024-07-19 11:57:02.000000000 +0100
@@ -2,7 +2,7 @@
Section: libs
Priority: optional
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org>
-Uploaders: @GNOME_TEAM@
+Uploaders: Emilio Pozuelo Monfort <po...@debian.org>, Jeremy Bicha <jbi...@debian.org>
Build-Depends: debhelper-compat (= 12),
dh-python,
gettext,
@@ -50,7 +50,7 @@
Rules-Requires-Root: no
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bookworm
Homepage: http://www.gtk.org/
Package: @SHARED_PKG@
diff -Nru gtk+2.0-2.24.33/debian/gbp.conf gtk+2.0-2.24.33/debian/gbp.conf
--- gtk+2.0-2.24.33/debian/gbp.conf 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/gbp.conf 2024-07-19 11:57:02.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bookworm
upstream-branch = upstream/latest
upstream-vcs-tag = %(version)s
diff -Nru gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch
--- gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 1970-01-01 01:00:00.000000000 +0100
+++ gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 2024-07-19 11:57:02.000000000 +0100
@@ -0,0 +1,35 @@
+From: Matthias Clasen <mcla...@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
+
+Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Bug-CVE: CVE-2024-6655
+Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 7877557..64efd91 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -232,13 +232,8 @@ find_module (const gchar *name)
+ gchar *module_name;
+
+ module_name = _gtk_find_module (name, "modules");
+- if (!module_name)
+- {
+- /* As last resort, try loading without an absolute path (using system
+- * library path)
+- */
+- module_name = g_module_build_path (NULL, name);
+- }
++ if (module_name == NULL)
++ return NULL;
+
+ module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+
diff -Nru gtk+2.0-2.24.33/debian/patches/series gtk+2.0-2.24.33/debian/patches/series
--- gtk+2.0-2.24.33/debian/patches/series 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/patches/series 2024-07-19 11:57:02.000000000 +0100
@@ -8,3 +8,4 @@
098_multiarch_module_path.patch
Reinstate-marshallers-that-accidentally-became-part-of-th.patch
d-i/textlayout-Clamp-width-to-the-value-we-asked-for-as-a-hac.patch
+CVE-2024-6655.patch
diff -Nru gtk+2.0-2.24.33/gtk/gtkmodules.c gtk+2.0-2.24.33/gtk/gtkmodules.c
--- gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:26:39.000000000 +0100
+++ gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:26:40.000000000 +0100
@@ -232,13 +232,8 @@
gchar *module_name;
module_name = _gtk_find_module (name, "modules");
- if (!module_name)
- {
- /* As last resort, try loading without an absolute path (using system
- * library path)
- */
- module_name = g_module_build_path (NULL, name);
- }
+ if (module_name == NULL)
+ return NULL;
module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.7
Hi,
Each of these bugs relates to an update including in today's bookworm
12.7 point release.
Regards,
Adam
--- End Message ---
