Hello community, here is the log from the commit of package xfdesktop for openSUSE:Factory checked in at 2012-06-28 17:22:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xfdesktop (Old) and /work/SRC/openSUSE:Factory/.xfdesktop.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xfdesktop", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/xfdesktop/xfdesktop.changes 2012-05-09 19:33:07.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xfdesktop.new/xfdesktop.changes 2012-06-28 17:22:16.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jun 27 07:09:02 UTC 2012 - seife+...@b1-systems.com + +- fix use-after-free in desktop icon tooltip code (bnc#768985) + +------------------------------------------------------------------- New: ---- xfdesktop-4.10.0-fix-use-after-free.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xfdesktop.spec ++++++ --- /var/tmp/diff_new_pack.JV88Ru/_old 2012-06-28 17:22:18.000000000 +0200 +++ /var/tmp/diff_new_pack.JV88Ru/_new 2012-06-28 17:22:18.000000000 +0200 @@ -28,6 +28,8 @@ Patch0: xfdesktop-backgrounds-path.patch # PATCH-FEATURE-OPENSUSE xfdesktop-default-backdrop-image.patch g...@opensuse.org -- Sets the default background image to a symlink that is delivered by branding packages Patch1: xfdesktop-default-background-image.patch +# PATCH-FIX-UPSTREAM xfdesktop-4.10.0-fix-use-after-free.patch bnc#768985 bxo#9059 seife+...@b1-systems.com -- fix use-after free detected by MALLOC_CHECK_ / valgrind -- to be sent upstream! +Patch2: xfdesktop-4.10.0-fix-use-after-free.patch BuildRequires: fdupes BuildRequires: intltool BuildRequires: update-desktop-files @@ -84,6 +86,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" ++++++ xfdesktop-4.10.0-fix-use-after-free.patch ++++++ Tooltip of a desktop file with empty Comment= field shows as "EEEEEEEEEEEEEEEEEEEEE..." which hints at a use-after-free as the area is poisoned by glibc after free(). Valgrind then showed this: ==4111== Invalid read of size 1 ==4111== at 0x8413316: vfprintf (in /lib64/libc-2.15.so) ==4111== by 0x84C6380: __vasprintf_chk (in /lib64/libc-2.15.so) ==4111== by 0x7F3FC2A: g_vasprintf (in /usr/lib64/libglib-2.0.so.0.3200.3) ==4111== by 0x7F1FBFC: g_strdup_vprintf (in /usr/lib64/libglib-2.0.so.0.3200.3) ==4111== by 0x7F1FC9B: g_strdup_printf (in /usr/lib64/libglib-2.0.so.0.3200.3) ==4111== by 0x434087: xfdesktop_regular_file_icon_peek_tooltip (xfdesktop-regular-file-icon.c:577) ==4111== by 0x41F6C4: xfdesktop_icon_view_show_tooltip (xfdesktop-icon-view.c:1049) ==4111== by 0x659FB80: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10) ==4111== by 0x7C7C70F: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x7C8D78F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x7C9532A: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x7C95DAF: g_signal_emit_by_name (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== Address 0x13301768 is 72 bytes inside a block of size 4,096 free'd ==4111== at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==4111== by 0x7F23377: g_string_chunk_free (in /usr/lib64/libglib-2.0.so.0.3200.3) ==4111== by 0x60494F6: xfce_rc_close (xfce-rc.c:166) ==4111== by 0x434039: xfdesktop_regular_file_icon_peek_tooltip (xfdesktop-regular-file-icon.c:567) ==4111== by 0x41F6C4: xfdesktop_icon_view_show_tooltip (xfdesktop-icon-view.c:1049) ==4111== by 0x659FB80: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10) ==4111== by 0x7C7C70F: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x7C8D78F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x7C9532A: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x7C95DAF: g_signal_emit_by_name (in /usr/lib64/libgobject-2.0.so.0.3200.3) ==4111== by 0x6674F97: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10) ==4111== by 0x6675C53: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10) This is the patch I came up with: Index: b/src/xfdesktop-regular-file-icon.c =================================================================== --- a/src/xfdesktop-regular-file-icon.c +++ b/src/xfdesktop-regular-file-icon.c @@ -550,10 +550,14 @@ xfdesktop_regular_file_icon_peek_tooltip mtime = g_file_info_get_attribute_uint64(info, G_FILE_ATTRIBUTE_TIME_MODIFIED); time_string = xfdesktop_file_utils_format_time_for_display(mtime); + regular_file_icon->priv->tooltip = + g_strdup_printf(_("Type: %s\nSize: %s\nLast modified: %s"), + description, size_string, time_string); + /* Extract the Comment entry from the .desktop file */ if(is_desktop_file) { gchar *path = g_file_get_path(regular_file_icon->priv->file); XfceRc *rcfile = xfce_rc_simple_open(path, TRUE); @@ -561,27 +565,22 @@ xfdesktop_regular_file_icon_peek_tooltip if(rcfile) { xfce_rc_set_group(rcfile, "Desktop Entry"); comment = xfce_rc_read_entry(rcfile, "Comment", NULL); } + /* Prepend the comment to the tooltip */ + if(comment != NULL) { + gchar *tooltip = regular_file_icon->priv->tooltip; + regular_file_icon->priv->tooltip = g_strdup_printf("%s\n%s", + comment, + tooltip); + g_free(tooltip); + } xfce_rc_close(rcfile); } - regular_file_icon->priv->tooltip = - g_strdup_printf(_("Type: %s\nSize: %s\nLast modified: %s"), - description, size_string, time_string); - - /* Prepend the comment to the tooltip */ - if(is_desktop_file && comment != NULL) { - gchar *tooltip = regular_file_icon->priv->tooltip; - regular_file_icon->priv->tooltip = g_strdup_printf("%s\n%s", - comment, - tooltip); - g_free(tooltip); - } - g_free(time_string); g_free(size_string); g_free(description); } -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org