Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: gtk+...@packages.debian.org, secur...@debian.org Control: affects -1 + src:gtk+2.0
[ Reason ] CVE-2024-6655. The security team has indicated that they do not intend to release a DSA for this vulnerability. [ Impact ] If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from the current working directory, which could be an exploitable vulnerability if a GTK 2 app is run from /tmp or a similarly attacker-controlled directory. [ Tests ] In the GTK 2 currently in bookworm, running e.g. `GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of attempting to load ./libfoobar.so: newfstatat(AT_FDCWD, "libfoobar.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "libfoobar.so.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "libfoobar.so.la", 0x7ffefb821f70, 0) = -1 ENOENT (No such file or directory) In the proposed version, this no longer happens. (gtk-demo is a sample GTK 2 application, from gtk2.0-examples.) [ Risks ] Low risk, straightforward backport of a targeted security fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/patches: The vulnerability fix. d/control, d/gbp.conf: Package release administrivia.
diffstat for gtk+2.0-2.24.33 gtk+2.0-2.24.33 debian/changelog | 11 +++++++++++ debian/control | 2 +- debian/control.in | 4 ++-- debian/gbp.conf | 2 +- debian/patches/CVE-2024-6655.patch | 35 +++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + gtk/gtkmodules.c | 9 ++------- 7 files changed, 53 insertions(+), 11 deletions(-) diff -Nru gtk+2.0-2.24.33/debian/changelog gtk+2.0-2.24.33/debian/changelog --- gtk+2.0-2.24.33/debian/changelog 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/changelog 2024-07-19 11:57:02.000000000 +0100 @@ -1,3 +1,14 @@ +gtk+2.0 (2.24.33-2+deb12u1) bookworm; urgency=medium + + * Team upload + * d/control.in, d/gbp.conf: Set packaging branch for Debian 12 updates + * d/control.in: Freeze previous Uploaders + * d/p/CVE-2024-6655.patch: + Add patch backported from 3.24.43 to avoid looking for modules in + current working directory (CVE-2024-6655) + + -- Simon McVittie <s...@debian.org> Fri, 19 Jul 2024 11:57:02 +0100 + gtk+2.0 (2.24.33-2) unstable; urgency=medium * Team upload diff -Nru gtk+2.0-2.24.33/debian/control gtk+2.0-2.24.33/debian/control --- gtk+2.0-2.24.33/debian/control 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/control 2024-07-19 11:57:02.000000000 +0100 @@ -50,7 +50,7 @@ Rules-Requires-Root: no Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2 -Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git +Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bookworm Homepage: http://www.gtk.org/ Package: libgtk2.0-0 diff -Nru gtk+2.0-2.24.33/debian/control.in gtk+2.0-2.24.33/debian/control.in --- gtk+2.0-2.24.33/debian/control.in 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/control.in 2024-07-19 11:57:02.000000000 +0100 @@ -2,7 +2,7 @@ Section: libs Priority: optional Maintainer: Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org> -Uploaders: @GNOME_TEAM@ +Uploaders: Emilio Pozuelo Monfort <po...@debian.org>, Jeremy Bicha <jbi...@debian.org> Build-Depends: debhelper-compat (= 12), dh-python, gettext, @@ -50,7 +50,7 @@ Rules-Requires-Root: no Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2 -Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git +Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bookworm Homepage: http://www.gtk.org/ Package: @SHARED_PKG@ diff -Nru gtk+2.0-2.24.33/debian/gbp.conf gtk+2.0-2.24.33/debian/gbp.conf --- gtk+2.0-2.24.33/debian/gbp.conf 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/gbp.conf 2024-07-19 11:57:02.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = debian/bookworm upstream-branch = upstream/latest upstream-vcs-tag = %(version)s diff -Nru gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch --- gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 1970-01-01 01:00:00.000000000 +0100 +++ gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 2024-07-19 11:57:02.000000000 +0100 @@ -0,0 +1,35 @@ +From: Matthias Clasen <mcla...@redhat.com> +Date: Sat, 15 Jun 2024 14:18:01 -0400 +Subject: Stop looking for modules in cwd + +This is just not a good idea. It is surprising, and can be misused. + +(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7) + +Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786 +Bug-CVE: CVE-2024-6655 +Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 +--- + gtk/gtkmodules.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c +index 7877557..64efd91 100644 +--- a/gtk/gtkmodules.c ++++ b/gtk/gtkmodules.c +@@ -232,13 +232,8 @@ find_module (const gchar *name) + gchar *module_name; + + module_name = _gtk_find_module (name, "modules"); +- if (!module_name) +- { +- /* As last resort, try loading without an absolute path (using system +- * library path) +- */ +- module_name = g_module_build_path (NULL, name); +- } ++ if (module_name == NULL) ++ return NULL; + + module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY); + diff -Nru gtk+2.0-2.24.33/debian/patches/series gtk+2.0-2.24.33/debian/patches/series --- gtk+2.0-2.24.33/debian/patches/series 2021-05-19 17:13:33.000000000 +0100 +++ gtk+2.0-2.24.33/debian/patches/series 2024-07-19 11:57:02.000000000 +0100 @@ -8,3 +8,4 @@ 098_multiarch_module_path.patch Reinstate-marshallers-that-accidentally-became-part-of-th.patch d-i/textlayout-Clamp-width-to-the-value-we-asked-for-as-a-hac.patch +CVE-2024-6655.patch diff -Nru gtk+2.0-2.24.33/gtk/gtkmodules.c gtk+2.0-2.24.33/gtk/gtkmodules.c --- gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:26:39.000000000 +0100 +++ gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:26:40.000000000 +0100 @@ -232,13 +232,8 @@ gchar *module_name; module_name = _gtk_find_module (name, "modules"); - if (!module_name) - { - /* As last resort, try loading without an absolute path (using system - * library path) - */ - module_name = g_module_build_path (NULL, name); - } + if (module_name == NULL) + return NULL; module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
