--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libmate-desktop-2-17: Use-after-free condition in blow_expensive_caches() in mate-bg.c
- From: Aaron Rainbolt <arraybolt3@ubuntu.com>
- Date: Thu, 30 Mar 2023 17:32:44 -0500
- Message-id: <168021556443.177557.3379982168246476563.reportbug@kf-XE>
Package: libmate-desktop-2-17
Version: 1.26.0-1
Severity: important
Tags: upstream patch
X-Debbugs-Cc: arraybolt3@ubuntu.com
libmate-desktop has a use-after-free condition in which an item in a GList is
deleted and then dereferenced in a later loop iteration. This appears to have
been the result of a coding error upstream, and was later reverted. Debian
still has the buggy version of the code.
In Ubuntu, the buggy code caused the MATE application menu to vanish very soon
after clicking it. Desktop icons also vanished. I do not know if this is
happening to Debian or not, however since the buggy code is in Debian I
believe it's at least a risk even if it's not actively happening. This was
reported as https://launchpad.net/bugs/2013138
The following patch looks like it should be easily applicable to Debian, and
it solves the bug in Ubuntu:
diff --git a/libmate-desktop/mate-bg.c b/libmate-desktop/mate-bg.c
index 0f617fa..e535231 100644
--- a/libmate-desktop/mate-bg.c
+++ b/libmate-desktop/mate-bg.c
@@ -2002,19 +2002,18 @@ static gboolean
blow_expensive_caches (gpointer data)
{
MateBG *bg = data;
- GList *list;
+ GList *list, *next;
bg->blow_caches_id = 0;
- if (bg->file_cache) {
- for (list = bg->file_cache; list != NULL; list = list->next) {
- FileCacheEntry *ent = list->data;
+ for (list = bg->file_cache; list != NULL; list = next) {
+ FileCacheEntry *ent = list->data;
+ next = list->next;
- if (ent->type == PIXBUF) {
- file_cache_entry_delete (ent);
- bg->file_cache = g_list_delete_link (bg->file_cache,
- list);
- }
+ if (ent->type == PIXBUF) {
+ file_cache_entry_delete (ent);
+ bg->file_cache = g_list_delete_link (bg->file_cache,
+ list);
}
}
Patch source: https://git.mate-desktop.org/mate-desktop/commit/?id=7b379f54a5b09df007f7e84dabbbc5f8ce9381a9
(And yes, I do realize that is formatted horribly, but that's what upstream
MATE's website gave me. I think it trimmed off a bunch of preceeding
whitespace for some reason.)
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.19.0-32-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libmate-desktop-2-17 depends on:
ii iso-codes 4.9.0-1
ii libatk1.0-0 2.36.0-3build1
ii libc6 2.35-0ubuntu3.1
ii libcairo2 1.16.0-5ubuntu2
ii libdconf1 0.40.0-3
ii libgdk-pixbuf-2.0-0 2.42.8+dfsg-1ubuntu0.2
ii libglib2.0-0 2.72.4-0ubuntu1
ii libgtk-3-0 3.24.33-1ubuntu2
ii libpango-1.0-0 1.50.6+ds-2ubuntu1
ii libstartup-notification0 0.12-6build2
ii libx11-6 2:1.7.5-1
ii libxrandr2 2:1.5.2-1build1
libmate-desktop-2-17 recommends no packages.
libmate-desktop-2-17 suggests no packages.
--- End Message ---
--- Begin Message ---
Source: mate-desktop
Source-Version: 1.26.0-2
Done: Mike Gabriel <sunweaver@debian.org>
We believe that the bug you reported is fixed in the latest version of
mate-desktop, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1033719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated mate-desktop package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 25 Apr 2023 16:35:44 +0200
Source: mate-desktop
Architecture: source
Version: 1.26.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1033719
Changes:
mate-desktop (1.26.0-2) unstable; urgency=medium
.
* debian/patches:
+ Trivial rebase of 001_prefer-x-terminal-emulator.patch.
+ Add patches 0001 and 0002. Fix two memory leaks.
+ Add patch 0003 fix use-after-free issue. (Closes: #1033719).
* debian/control:
+ In bin:pkg libmate-desktop-dev switch from libgdk-pixbuf2.0-dev
(deprecated) to libgdk-pixbuf-2.0-dev. Thanks, lintian.
* debian/copyright:
+ Update copyright attribution for debian/ folder.
Checksums-Sha1:
fec732cb87c66e18f82baa9985b808a122313540 2929 mate-desktop_1.26.0-2.dsc
1bff22e142f7e6ed8266fda22a0c16db0377e0ba 13868 mate-desktop_1.26.0-2.debian.tar.xz
987406fe98446eb7c70653e97a7387dc8a5706b3 16415 mate-desktop_1.26.0-2_source.buildinfo
Checksums-Sha256:
67a254686dcd7079817ea2b0aade6ba32e7fbe432b8819c40463636e92bae73d 2929 mate-desktop_1.26.0-2.dsc
ba48547456660b17e146ef5fd642aa5e7cddf9dd7f075b43a805af494aede1b3 13868 mate-desktop_1.26.0-2.debian.tar.xz
960c2bfb6429aadf0b6dde42fa850a236f2713405ba620972f6fd06f4ffb6ba1 16415 mate-desktop_1.26.0-2_source.buildinfo
Files:
a3281ed59ea84f28fdab3dd1599cccda 2929 x11 optional mate-desktop_1.26.0-2.dsc
1f6eb1cddaa30fe57a203317ca77006d 13868 x11 optional mate-desktop_1.26.0-2.debian.tar.xz
d8231d7ba44f12f1722a6623d8bea18d 16415 x11 optional mate-desktop_1.26.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmRH6YQVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx97gP/2nbkA4R/N5+sbkWw/FxtAqLMbBt
hqIy5hbjKSF1Q94g8clz+htw33vAfz17e8rKlUyDAxl1XYRftNcW+Ab0uvsJg3E9
/uGLWaca8WZ8r8oBVmTvyRuCPkqQY89oEHKPjvKbDivEiIggfKAYZCKJ2Oam8nT3
tiJZ1E3/zHj1GL9HHcjYc4jhNvSgpS+X/SPQqGZMyDKd7iwbYMgL6cpA5gNq7tmV
DV7v2gTHJ0zVqKR5qbJK7lS8mWUXBU/CwKIvWRlgDiuHnSuELQanDnOdbUQ3ZKX+
oWZSyaEN9VbU8rgEr1KegcUZ55IO5eAJV4z1ogjZ+azquXOW+mEt/1t81rONj/SD
o5hB3WMlSmTz8T5n3a37xj4Kbw3eCngI1z2Dn1ThRxuKuCh3eVApZ+8ze3T6Ytv1
KLOJ7OE2OKzmDPahzarIFQOYRYmAT3t8wn+0nnCcCsiynCE4UEqDwtuAknc7632L
yCyJNmtjxfypK/OeDcaAfGoE5ImTvtgoG8J30cf8KefHuYrpWfh+uWWEeDwQb72E
1Vdmx76uHrSZwpuqB5AQHGCXQF8dI8C9woQGOs4/9PxaCr1bEdM9oDp6tSd4zb4c
CWk//mJfbGnf97eG69yHqsHtaf+zeRfIWXQmq5FB+TMEK5FH/YClDFtHvzJVJ9S6
x7BGikQnF4R317TD
=ZlcL
-----END PGP SIGNATURE-----
--- End Message ---