Bug#1076598: bullseye-pu: package gtk+2.0/2.24.33-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+2.0@packages.debian.org, security@debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:gtk+2.0
[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.
[ Impact ]
If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 2 app is run from /tmp or a similarly attacker-controlled
directory.
[ Tests ]
Briefly tested in a Debian 11 GNOME VM, no obvious regression.
In the GTK 2 currently in bullseye, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of
attempting to load ./libfoobar.so:
stat("libfoobar.so", ...) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.so", ...) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.la", ...) = -1 ENOENT (No such file or directory)
In the proposed version, this no longer happens.
(gtk-demo is a sample GTK 2 application, from gtk2.0-examples.)
I have not yet attempted to build a debian-installer image with the
proposed GTK.
[ Risks ]
Low risk, straightforward backport of a targeted security fix.
One risk here is that Debian 11.11 is intended to be its last scheduled
point release, so if this somehow causes a regression, there will be no
more point releases in which the regression can be fixed, and it will
be up to the LTS team to deal with the fallout.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
d/patches: The vulnerability fix.
d/control, d/gbp.conf: Package release administrivia.
[ Other info ]
GTK 2 is used in the graphical installer, so this will require a d-i ack.
diffstat for gtk+2.0-2.24.33 gtk+2.0-2.24.33
debian/changelog | 11 +++++++++++
debian/control | 2 +-
debian/control.in | 4 ++--
debian/gbp.conf | 2 +-
debian/patches/CVE-2024-6655.patch | 35 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
gtk/gtkmodules.c | 9 ++-------
7 files changed, 53 insertions(+), 11 deletions(-)
diff -Nru gtk+2.0-2.24.33/debian/changelog gtk+2.0-2.24.33/debian/changelog
--- gtk+2.0-2.24.33/debian/changelog 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/changelog 2024-07-19 12:19:26.000000000 +0100
@@ -1,3 +1,14 @@
+gtk+2.0 (2.24.33-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * d/control.in, d/gbp.conf: Set packaging branch for Debian 11 updates
+ * d/control.in: Freeze previous Uploaders
+ * d/p/CVE-2024-6655.patch:
+ Add patch backported from 3.24.43 to avoid looking for modules in
+ current working directory (CVE-2024-6655)
+
+ -- Simon McVittie <smcv@debian.org> Fri, 19 Jul 2024 12:19:26 +0100
+
gtk+2.0 (2.24.33-2) unstable; urgency=medium
* Team upload
diff -Nru gtk+2.0-2.24.33/debian/control gtk+2.0-2.24.33/debian/control
--- gtk+2.0-2.24.33/debian/control 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/control 2024-07-19 12:19:26.000000000 +0100
@@ -50,7 +50,7 @@
Rules-Requires-Root: no
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bullseye
Homepage: http://www.gtk.org/
Package: libgtk2.0-0
diff -Nru gtk+2.0-2.24.33/debian/control.in gtk+2.0-2.24.33/debian/control.in
--- gtk+2.0-2.24.33/debian/control.in 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/control.in 2024-07-19 12:19:26.000000000 +0100
@@ -2,7 +2,7 @@
Section: libs
Priority: optional
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: @GNOME_TEAM@
+Uploaders: Emilio Pozuelo Monfort <pochu@debian.org>, Jeremy Bicha <jbicha@debian.org>
Build-Depends: debhelper-compat (= 12),
dh-python,
gettext,
@@ -50,7 +50,7 @@
Rules-Requires-Root: no
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/gnome-team/gtk2
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk2.git -b debian/bullseye
Homepage: http://www.gtk.org/
Package: @SHARED_PKG@
diff -Nru gtk+2.0-2.24.33/debian/gbp.conf gtk+2.0-2.24.33/debian/gbp.conf
--- gtk+2.0-2.24.33/debian/gbp.conf 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/gbp.conf 2024-07-19 12:19:26.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bullseye
upstream-branch = upstream/latest
upstream-vcs-tag = %(version)s
diff -Nru gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch
--- gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 1970-01-01 01:00:00.000000000 +0100
+++ gtk+2.0-2.24.33/debian/patches/CVE-2024-6655.patch 2024-07-19 12:19:26.000000000 +0100
@@ -0,0 +1,35 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
+
+Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Bug-CVE: CVE-2024-6655
+Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 7877557..64efd91 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -232,13 +232,8 @@ find_module (const gchar *name)
+ gchar *module_name;
+
+ module_name = _gtk_find_module (name, "modules");
+- if (!module_name)
+- {
+- /* As last resort, try loading without an absolute path (using system
+- * library path)
+- */
+- module_name = g_module_build_path (NULL, name);
+- }
++ if (module_name == NULL)
++ return NULL;
+
+ module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+
diff -Nru gtk+2.0-2.24.33/debian/patches/series gtk+2.0-2.24.33/debian/patches/series
--- gtk+2.0-2.24.33/debian/patches/series 2021-05-19 17:13:33.000000000 +0100
+++ gtk+2.0-2.24.33/debian/patches/series 2024-07-19 12:19:26.000000000 +0100
@@ -8,3 +8,4 @@
098_multiarch_module_path.patch
Reinstate-marshallers-that-accidentally-became-part-of-th.patch
d-i/textlayout-Clamp-width-to-the-value-we-asked-for-as-a-hac.patch
+CVE-2024-6655.patch
diff -Nru gtk+2.0-2.24.33/gtk/gtkmodules.c gtk+2.0-2.24.33/gtk/gtkmodules.c
--- gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:51:26.000000000 +0100
+++ gtk+2.0-2.24.33/gtk/gtkmodules.c 2024-07-19 12:51:27.000000000 +0100
@@ -232,13 +232,8 @@
gchar *module_name;
module_name = _gtk_find_module (name, "modules");
- if (!module_name)
- {
- /* As last resort, try loading without an absolute path (using system
- * library path)
- */
- module_name = g_module_build_path (NULL, name);
- }
+ if (module_name == NULL)
+ return NULL;
module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
Reply to: