Package: libmate-desktop-2-17 Version: 1.26.0-1 Severity: important Tags: upstream patch X-Debbugs-Cc: arraybo...@ubuntu.com
libmate-desktop has a use-after-free condition in which an item in a GList is deleted and then dereferenced in a later loop iteration. This appears to have been the result of a coding error upstream, and was later reverted. Debian still has the buggy version of the code. In Ubuntu, the buggy code caused the MATE application menu to vanish very soon after clicking it. Desktop icons also vanished. I do not know if this is happening to Debian or not, however since the buggy code is in Debian I believe it's at least a risk even if it's not actively happening. This was reported as https://launchpad.net/bugs/2013138 The following patch looks like it should be easily applicable to Debian, and it solves the bug in Ubuntu: diff --git a/libmate-desktop/mate-bg.c b/libmate-desktop/mate-bg.c index 0f617fa..e535231 100644 --- a/libmate-desktop/mate-bg.c +++ b/libmate-desktop/mate-bg.c @@ -2002,19 +2002,18 @@ static gboolean blow_expensive_caches (gpointer data) { MateBG *bg = data; - GList *list; + GList *list, *next; bg->blow_caches_id = 0; - if (bg->file_cache) { - for (list = bg->file_cache; list != NULL; list = list->next) { - FileCacheEntry *ent = list->data; + for (list = bg->file_cache; list != NULL; list = next) { + FileCacheEntry *ent = list->data; + next = list->next; - if (ent->type == PIXBUF) { - file_cache_entry_delete (ent); - bg->file_cache = g_list_delete_link (bg->file_cache, - list); - } + if (ent->type == PIXBUF) { + file_cache_entry_delete (ent); + bg->file_cache = g_list_delete_link (bg->file_cache, + list); } } Patch source: https://git.mate-desktop.org/mate-desktop/commit/?id=7b379f54a5b09df007f7e84dabbbc5f8ce9381a9 (And yes, I do realize that is formatted horribly, but that's what upstream MATE's website gave me. I think it trimmed off a bunch of preceeding whitespace for some reason.) -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.19.0-32-generic (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libmate-desktop-2-17 depends on: ii iso-codes 4.9.0-1 ii libatk1.0-0 2.36.0-3build1 ii libc6 2.35-0ubuntu3.1 ii libcairo2 1.16.0-5ubuntu2 ii libdconf1 0.40.0-3 ii libgdk-pixbuf-2.0-0 2.42.8+dfsg-1ubuntu0.2 ii libglib2.0-0 2.72.4-0ubuntu1 ii libgtk-3-0 3.24.33-1ubuntu2 ii libpango-1.0-0 1.50.6+ds-2ubuntu1 ii libstartup-notification0 0.12-6build2 ii libx11-6 2:1.7.5-1 ii libxrandr2 2:1.5.2-1build1 libmate-desktop-2-17 recommends no packages. libmate-desktop-2-17 suggests no packages.