Re: Bug#1076596: bookworm-pu: package gtk+2.0/2.24.33-2+deb12u1

Fri, 19 Jul 2024 04:44:19 -0700 

Control: tags -1 + d-i

On Fri, 19 Jul 2024 at 12:29:05 +0100, Simon McVittie wrote:
> [ Reason ]
> CVE-2024-6655. The security team has indicated that they do not intend
> to release a DSA for this vulnerability.
> 
> [ Impact ]
> If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from
> the current working directory, which could be an exploitable vulnerability
> if a GTK 2 app is run from /tmp or a similarly attacker-controlled
> directory.

Sorry, I should have remembered that because GTK 2 is used in the
graphical installer, this update will require a d-i ack. (Full text and
diff quoted below.)

I have not yet attempted to build a new installer image with the
proposed GTK. Perhaps someone who knows how to operate branch2repo could
trigger that?

Thanks,
    smcv

> [ Tests ]
> In the GTK 2 currently in bookworm, running e.g.
> `GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of
> attempting to load ./libfoobar.so:
> 
> newfstatat(AT_FDCWD, "libfoobar.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such 
> file or directory)
> newfstatat(AT_FDCWD, "libfoobar.so.so", 0x7ffefb821f70, 0) = -1 ENOENT (No 
> such file or directory)
> newfstatat(AT_FDCWD, "libfoobar.so.la", 0x7ffefb821f70, 0) = -1 ENOENT (No 
> such file or directory)
> 
> In the proposed version, this no longer happens.
> 
> (gtk-demo is a sample GTK 2 application, from gtk2.0-examples.)
> 
> [ Risks ]
> Low risk, straightforward backport of a targeted security fix.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> d/patches: The vulnerability fix.
> 
> d/control, d/gbp.conf: Package release administrivia.

> diffstat for gtk+2.0-2.24.33 gtk+2.0-2.24.33
> 
>  debian/changelog                   |   11 +++++++++++
>  debian/control                     |    2 +-
>  debian/control.in                  |    4 ++--
>  debian/gbp.conf                    |    2 +-
>  debian/patches/CVE-2024-6655.patch |   35 +++++++++++++++++++++++++++++++++++
>  debian/patches/series              |    1 +
>  gtk/gtkmodules.c                   |    9 ++-------
>  7 files changed, 53 insertions(+), 11 deletions(-)
> 
> diff -Nru gtk+2.0-2.24.33/debian/changelog gtk+2.0-2.24.33/debian/changelog
> --- gtk+2.0-2.24.33/debian/changelog  2021-05-19 17:13:33.000000000 +0100
> +++ gtk+2.0-2.24.33/debian/changelog  2024-07-19 11:57:02.000000000 +0100
> @@ -1,3 +1,14 @@
> +gtk+2.0 (2.24.33-2+deb12u1) bookworm; urgency=medium
> +
> +  * Team upload
> +  * d/control.in, d/gbp.conf: Set packaging branch for Debian 12 updates
> +  * d/control.in: Freeze previous Uploaders
> +  * d/p/CVE-2024-6655.patch:
> +    Add patch backported from 3.24.43 to avoid looking for modules in
> +    current working directory (CVE-2024-6655)
> +
> + -- Simon McVittie <s...@debian.org>  Fri, 19 Jul 2024 11:57:02 +0100
> +
>  gtk+2.0 (2.24.33-2) unstable; urgency=medium
>  
>    * Team upload
> diff -Nru gtk+2.0-2.24.33/debian/control gtk+2.0-2.24.33/debian/control
> --- gtk+2.0-2.24.33/debian/control    2021-05-19 17:13:33.000000000 +0100
> +++ gtk+2.0-2.24.33/debian/control    2024-07-19 11:57:02.000000000 +0100
> @@ -50,7 +50,7 @@
>  Rules-Requires-Root: no
>  Standards-Version: 4.5.1
>  Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
> -Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
> +Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bookworm
>  Homepage: http://www.gtk.org/
>  
>  Package: libgtk2.0-0
> diff -Nru gtk+2.0-2.24.33/debian/control.in gtk+2.0-2.24.33/debian/control.in
> --- gtk+2.0-2.24.33/debian/control.in 2021-05-19 17:13:33.000000000 +0100
> +++ gtk+2.0-2.24.33/debian/control.in 2024-07-19 11:57:02.000000000 +0100
> @@ -2,7 +2,7 @@
>  Section: libs
>  Priority: optional
>  Maintainer: Debian GNOME Maintainers 
> <pkg-gnome-maintain...@lists.alioth.debian.org>
> -Uploaders: @GNOME_TEAM@
> +Uploaders: Emilio Pozuelo Monfort <po...@debian.org>, Jeremy Bicha 
> <jbi...@debian.org>
>  Build-Depends: debhelper-compat (= 12),
>                 dh-python,
>                 gettext,
> @@ -50,7 +50,7 @@
>  Rules-Requires-Root: no
>  Standards-Version: 4.5.1
>  Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
> -Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
> +Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bookworm
>  Homepage: http://www.gtk.org/
>  
>  Package: @SHARED_PKG@
> diff -Nru gtk+2.0-2.24.33/debian/gbp.conf gtk+2.0-2.24.33/debian/gbp.conf
> --- gtk+2.0-2.24.33/debian/gbp.conf   2021-05-19 17:13:33.000000000 +0100
> +++ gtk+2.0-2.24.33/debian/gbp.conf   2024-07-19 11:57:02.000000000 +0100
> @@ -1,5 +1,5 @@
>  [DEFAULT]
>  pristine-tar = True
> -debian-branch = debian/master
> +debian-branch = debian/bookworm
>  upstream-branch = upstream/latest
>  upstream-vcs-tag = %(version)s
> diff -Nru gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 
> gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch
> --- gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch        1970-01-01 
> 01:00:00.000000000 +0100
> +++ gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch        2024-07-19 
> 11:57:02.000000000 +0100
> @@ -0,0 +1,35 @@
> +From: Matthias Clasen <mcla...@redhat.com>
> +Date: Sat, 15 Jun 2024 14:18:01 -0400
> +Subject: Stop looking for modules in cwd
> +
> +This is just not a good idea. It is surprising, and can be misused.
> +
> +(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
> +
> +Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
> +Bug-CVE: CVE-2024-6655
> +Origin: upstream, 3.24.43, 
> commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7
> +---
> + gtk/gtkmodules.c | 9 ++-------
> + 1 file changed, 2 insertions(+), 7 deletions(-)
> +
> +diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
> +index 7877557..64efd91 100644
> +--- a/gtk/gtkmodules.c
> ++++ b/gtk/gtkmodules.c
> +@@ -232,13 +232,8 @@ find_module (const gchar *name)
> +   gchar *module_name;
> + 
> +   module_name = _gtk_find_module (name, "modules");
> +-  if (!module_name)
> +-    {
> +-      /* As last resort, try loading without an absolute path (using system
> +-       * library path)
> +-       */
> +-      module_name = g_module_build_path (NULL, name);
> +-    }
> ++  if (module_name == NULL)
> ++    return NULL;
> + 
> +   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | 
> G_MODULE_BIND_LAZY);
> + 
> diff -Nru gtk+2.0-2.24.33/debian/patches/series 
> gtk+2.0-2.24.33/debian/patches/series
> --- gtk+2.0-2.24.33/debian/patches/series     2021-05-19 17:13:33.000000000 
> +0100
> +++ gtk+2.0-2.24.33/debian/patches/series     2024-07-19 11:57:02.000000000 
> +0100
> @@ -8,3 +8,4 @@
>  098_multiarch_module_path.patch
>  Reinstate-marshallers-that-accidentally-became-part-of-th.patch
>  d-i/textlayout-Clamp-width-to-the-value-we-asked-for-as-a-hac.patch
> +CVE-2024-6655.patch
> diff -Nru gtk+2.0-2.24.33/gtk/gtkmodules.c gtk+2.0-2.24.33/gtk/gtkmodules.c
> --- gtk+2.0-2.24.33/gtk/gtkmodules.c  2024-07-19 12:26:39.000000000 +0100
> +++ gtk+2.0-2.24.33/gtk/gtkmodules.c  2024-07-19 12:26:40.000000000 +0100
> @@ -232,13 +232,8 @@
>    gchar *module_name;
>  
>    module_name = _gtk_find_module (name, "modules");
> -  if (!module_name)
> -    {
> -      /* As last resort, try loading without an absolute path (using system
> -       * library path)
> -       */
> -      module_name = g_module_build_path (NULL, name);
> -    }
> +  if (module_name == NULL)
> +    return NULL;
>  
>    module = g_module_open (module_name, G_MODULE_BIND_LOCAL | 
> G_MODULE_BIND_LAZY);
>

Reply via email to