[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1076598: bullseye-pu: package gtk+2.0/2.24.33-2+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+2.0@packages.debian.org, security@debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:gtk+2.0

[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.

[ Impact ]
If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 2 app is run from /tmp or a similarly attacker-controlled
directory.

[ Tests ]
Briefly tested in a Debian 11 GNOME VM, no obvious regression.

In the GTK 2 currently in bullseye, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of
attempting to load ./libfoobar.so:

stat("libfoobar.so", ...) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.so", ...) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.la", ...) = -1 ENOENT (No such file or directory)

In the proposed version, this no longer happens.

(gtk-demo is a sample GTK 2 application, from gtk2.0-examples.)

I have not yet attempted to build a debian-installer image with the
proposed GTK.

[ Risks ]
Low risk, straightforward backport of a targeted security fix.

One risk here is that Debian 11.11 is intended to be its last scheduled
point release, so if this somehow causes a regression, there will be no
more point releases in which the regression can be fixed, and it will
be up to the LTS team to deal with the fallout.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
d/patches: The vulnerability fix.

d/control, d/gbp.conf: Package release administrivia.

[ Other info ]
GTK 2 is used in the graphical installer, so this will require a d-i ack.

diffstat for gtk+2.0-2.24.33 gtk+2.0-2.24.33

 debian/changelog                   |   11 +++++++++++
 debian/control                     |    2 +-
 debian/control.in                  |    4 ++--
 debian/gbp.conf                    |    2 +-
 debian/patches/CVE-2024-6655.patch |   35 +++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 gtk/gtkmodules.c                   |    9 ++-------
 7 files changed, 53 insertions(+), 11 deletions(-)

diff -Nru gtk+2.0-2.24.33/debian/changelog gtk+2.0-2.24.33/debian/changelog
--- gtk+2.0-2.24.33/debian/changelog	2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/changelog	2024-07-19 12:19:26.000000000 +0100
@@ -1,3 +1,14 @@
+gtk+2.0 (2.24.33-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * d/control.in, d/gbp.conf: Set packaging branch for Debian 11 updates
+  * d/control.in: Freeze previous Uploaders
+  * d/p/CVE-2024-6655.patch:
+    Add patch backported from 3.24.43 to avoid looking for modules in
+    current working directory (CVE-2024-6655)
+
+ -- Simon McVittie <smcv@debian.org>  Fri, 19 Jul 2024 12:19:26 +0100
+
 gtk+2.0 (2.24.33-2) unstable; urgency=medium
 
   * Team upload
diff -Nru gtk+2.0-2.24.33/debian/control gtk+2.0-2.24.33/debian/control
--- gtk+2.0-2.24.33/debian/control	2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/control	2024-07-19 12:19:26.000000000 +0100
@@ -50,7 +50,7 @@
 Rules-Requires-Root: no
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bullseye
 Homepage: http://www.gtk.org/
 
 Package: libgtk2.0-0
diff -Nru gtk+2.0-2.24.33/debian/control.in gtk+2.0-2.24.33/debian/control.in
--- gtk+2.0-2.24.33/debian/control.in	2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/control.in	2024-07-19 12:19:26.000000000 +0100
@@ -2,7 +2,7 @@
 Section: libs
 Priority: optional
 Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: @GNOME_TEAM@
+Uploaders: Emilio Pozuelo Monfort <pochu@debian.org>, Jeremy Bicha <jbicha@debian.org>
 Build-Depends: debhelper-compat (= 12),
                dh-python,
                gettext,
@@ -50,7 +50,7 @@
 Rules-Requires-Root: no
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bullseye
 Homepage: http://www.gtk.org/
 
 Package: @SHARED_PKG@
diff -Nru gtk+2.0-2.24.33/debian/gbp.conf gtk+2.0-2.24.33/debian/gbp.conf
--- gtk+2.0-2.24.33/debian/gbp.conf	2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/gbp.conf	2024-07-19 12:19:26.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bullseye
 upstream-branch = upstream/latest
 upstream-vcs-tag = %(version)s
diff -Nru gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch
--- gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch	1970-01-01 01:00:00.000000000 +0100
+++ gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch	2024-07-19 12:19:26.000000000 +0100
@@ -0,0 +1,35 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
+
+Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Bug-CVE: CVE-2024-6655
+Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 7877557..64efd91 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -232,13 +232,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
diff -Nru gtk+2.0-2.24.33/debian/patches/series gtk+2.0-2.24.33/debian/patches/series
--- gtk+2.0-2.24.33/debian/patches/series	2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/patches/series	2024-07-19 12:19:26.000000000 +0100
@@ -8,3 +8,4 @@
 098_multiarch_module_path.patch
 Reinstate-marshallers-that-accidentally-became-part-of-th.patch
 d-i/textlayout-Clamp-width-to-the-value-we-asked-for-as-a-hac.patch
+CVE-2024-6655.patch
diff -Nru gtk+2.0-2.24.33/gtk/gtkmodules.c gtk+2.0-2.24.33/gtk/gtkmodules.c
--- gtk+2.0-2.24.33/gtk/gtkmodules.c	2024-07-19 12:51:26.000000000 +0100
+++ gtk+2.0-2.24.33/gtk/gtkmodules.c	2024-07-19 12:51:27.000000000 +0100
@@ -232,13 +232,8 @@
   gchar *module_name;
 
   module_name = _gtk_find_module (name, "modules");
-  if (!module_name)
-    {
-      /* As last resort, try loading without an absolute path (using system
-       * library path)
-       */
-      module_name = g_module_build_path (NULL, name);
-    }
+  if (module_name == NULL)
+    return NULL;
 
   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
Reply to: