Your message dated Sat, 31 Aug 2024 12:30:55 +0100 with message-id <27c418b1a49ffc566f1b9635359e59f6a742be26.ca...@adam-barratt.org.uk> and subject line Closing bugs for 11.11 has caused the Debian Bug report #1076598, regarding bullseye-pu: package gtk+2.0/2.24.33-2+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1076598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076598 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye d-i User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: gtk+...@packages.debian.org, secur...@debian.org, debian-b...@lists.debian.org Control: affects -1 + src:gtk+2.0 [ Reason ] CVE-2024-6655. The security team has indicated that they do not intend to release a DSA for this vulnerability. [ Impact ] If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from the current working directory, which could be an exploitable vulnerability if a GTK 2 app is run from /tmp or a similarly attacker-controlled directory. [ Tests ] Briefly tested in a Debian 11 GNOME VM, no obvious regression. In the GTK 2 currently in bullseye, running e.g. `GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of attempting to load ./libfoobar.so: stat("libfoobar.so", ...) = -1 ENOENT (No such file or directory) stat("libfoobar.so.so", ...) = -1 ENOENT (No such file or directory) stat("libfoobar.so.la", ...) = -1 ENOENT (No such file or directory) In the proposed version, this no longer happens. (gtk-demo is a sample GTK 2 application, from gtk2.0-examples.) I have not yet attempted to build a debian-installer image with the proposed GTK. [ Risks ] Low risk, straightforward backport of a targeted security fix. One risk here is that Debian 11.11 is intended to be its last scheduled point release, so if this somehow causes a regression, there will be no more point releases in which the regression can be fixed, and it will be up to the LTS team to deal with the fallout. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/patches: The vulnerability fix. d/control, d/gbp.conf: Package release administrivia. [ Other info ] GTK 2 is used in the graphical installer, so this will require a d-i ack.diffstat for gtk+2.0-2.24.33 gtk+2.0-2.24.33 debian/changelog | 11 +++++++++++ debian/control | 2 +- debian/control.in | 4 ++-- debian/gbp.conf | 2 +- debian/patches/CVE-2024-6655.patch | 35 +++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + gtk/gtkmodules.c | 9 ++------- 7 files changed, 53 insertions(+), 11 deletions(-) diff -Nru gtk+2.0-2.24.33/debian/changelog gtk+2.0-2.24.33/debian/changelog --- gtk+2.0-2.24.33/debian/changelog 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/changelog 2024-07-19 12:19:26.000000000 +0100 @@ -1,3 +1,14 @@ +gtk+2.0 (2.24.33-2+deb11u1) bullseye; urgency=medium + + * Team upload + * d/control.in, d/gbp.conf: Set packaging branch for Debian 11 updates + * d/control.in: Freeze previous Uploaders + * d/p/CVE-2024-6655.patch: + Add patch backported from 3.24.43 to avoid looking for modules in + current working directory (CVE-2024-6655) + + -- Simon McVittie <s...@debian.org> Fri, 19 Jul 2024 12:19:26 +0100 + gtk+2.0 (2.24.33-2) unstable; urgency=medium * Team upload diff -Nru gtk+2.0-2.24.33/debian/control gtk+2.0-2.24.33/debian/control --- gtk+2.0-2.24.33/debian/control 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/control 2024-07-19 12:19:26.000000000 +0100 @@ -50,7 +50,7 @@ Rules-Requires-Root: no Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2 -Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git +Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bullseye Homepage: http://www.gtk.org/ Package: libgtk2.0-0 diff -Nru gtk+2.0-2.24.33/debian/control.in gtk+2.0-2.24.33/debian/control.in --- gtk+2.0-2.24.33/debian/control.in 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/control.in 2024-07-19 12:19:26.000000000 +0100 @@ -2,7 +2,7 @@ Section: libs Priority: optional Maintainer: Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org> -Uploaders: @GNOME_TEAM@ +Uploaders: Emilio Pozuelo Monfort <po...@debian.org>, Jeremy Bicha <jbi...@debian.org> Build-Depends: debhelper-compat (= 12), dh-python, gettext, @@ -50,7 +50,7 @@ Rules-Requires-Root: no Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2 -Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git +Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bullseye Homepage: http://www.gtk.org/ Package: @SHARED_PKG@ diff -Nru gtk+2.0-2.24.33/debian/gbp.conf gtk+2.0-2.24.33/debian/gbp.conf --- gtk+2.0-2.24.33/debian/gbp.conf 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/gbp.conf 2024-07-19 12:19:26.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = debian/bullseye upstream-branch = upstream/latest upstream-vcs-tag = %(version)s diff -Nru gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch --- gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 1970-01-01 01:00:00.000000000 +0100 +++ gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 2024-07-19 12:19:26.000000000 +0100 @@ -0,0 +1,35 @@ +From: Matthias Clasen <mcla...@redhat.com> +Date: Sat, 15 Jun 2024 14:18:01 -0400 +Subject: Stop looking for modules in cwd + +This is just not a good idea. It is surprising, and can be misused. + +(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7) + +Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786 +Bug-CVE: CVE-2024-6655 +Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 +--- + gtk/gtkmodules.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c +index 7877557..64efd91 100644 +--- a/gtk/gtkmodules.c ++++ b/gtk/gtkmodules.c +@@ -232,13 +232,8 @@ find_module (const gchar *name) + gchar *module_name; + + module_name = _gtk_find_module (name, "modules"); +- if (!module_name) +- { +- /* As last resort, try loading without an absolute path (using system +- * library path) +- */ +- module_name = g_module_build_path (NULL, name); +- } ++ if (module_name == NULL) ++ return NULL; + + module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY); + diff -Nru gtk+2.0-2.24.33/debian/patches/series gtk+2.0-2.24.33/debian/patches/series --- gtk+2.0-2.24.33/debian/patches/series 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/patches/series 2024-07-19 12:19:26.000000000 +0100 @@ -8,3 +8,4 @@ 098_multiarch_module_path.patch Reinstate-marshallers-that-accidentally-became-part-of-th.patch d-i/textlayout-Clamp-width-to-the-value-we-asked-for-as-a-hac.patch +CVE-2024-6655.patch diff -Nru gtk+2.0-2.24.33/gtk/gtkmodules.c gtk+2.0-2.24.33/gtk/gtkmodules.c --- gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:51:26.000000000 +0100 +++ gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:51:27.000000000 +0100 @@ -232,13 +232,8 @@ gchar *module_name; module_name = _gtk_find_module (name, "modules"); - if (!module_name) - { - /* As last resort, try loading without an absolute path (using system - * library path) - */ - module_name = g_module_build_path (NULL, name); - } + if (module_name == NULL) + return NULL; module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.11 Hi, Each of these bugs relates to an update including in today's final bullseye 11.11 point release. Regards, Adam
--- End Message ---
