Hello Łukasz! I have updated the bug report to follow the SRU documentation (apologies, I spaced filling out the bug report).
** Description changed: + [Impact] + + Without these fixes, a specially crafted GTK program can cause a Denial + of Service attack on any machine with open GTK programs. + + [Test Case] + + In the GitHub issue against mate-panel, an individual with the GitHub + username clbr wrote a Proof of Concept that can be used to demonstrate + that this bug is affecting the system, and this is found here: + http://pastebin.ca/3733209 + + The commenter reports that the Proof of Concept can be built with the following command: + gcc -o killer killer.c `pkg-config --cflags --libs gtk+-2.0` + + [Regression Potential] + + This fix has been uploaded to Artful and has passed to artful-release, + causing no installability problems or autopkgtest regressions. + + As for the fix itself, there was already a regression spotted, but the + patch fixing that regression has been spotted and also fixed in this + upload. Since it is putting a limit on the list's size, although this is + highly unlikely at this point in time, epgfm on the GitHub issue points + out the following: + + "... + + However, the incoming fix set a large number of items (1000) as a hard + limit. + + ... + + Does an application really needs to store 1K recent files? I think even + the badassest screen you can possibly buy now wouldn't have enough + vertical space to display them all." + + Should there be the unlikely event that a program needs to use that many + recent files, the program will have some issues, but that is a bug in + the program that needs to use that many recent files, not GTK itself. + + tl;dr low regression potential, where there will be regressions is + excessively large GTK programs, but that is a bug in the program itself + for taking up that much space, not GTK. + + [Original Description] + https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here: https://github.com/mate-desktop/mate-panel/issues/479 For the GTK3 version of this bug, see bug 1641914 Note that MATE is GTK2 only for Ubuntu 16.04 LTS. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gtk+2.0 in Ubuntu. https://bugs.launchpad.net/bugs/1641912 Title: Please backport two recent-manager patches To manage notifications about this bug go to: https://bugs.launchpad.net/gtk/+bug/1641912/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
