[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1033719: marked as done (libmate-desktop-2-17: Use-after-free condition in blow_expensive_caches() in mate-bg.c)

Your message dated Tue, 25 Apr 2023 15:19:04 +0000
with message-id <E1prKRc-00HWG0-BM@fasolo.debian.org>
and subject line Bug#1033719: fixed in mate-desktop 1.26.0-2
has caused the Debian Bug report #1033719,
regarding libmate-desktop-2-17: Use-after-free condition in blow_expensive_caches() in mate-bg.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1033719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033719
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libmate-desktop-2-17
Version: 1.26.0-1
Severity: important
Tags: upstream patch
X-Debbugs-Cc: arraybolt3@ubuntu.com

libmate-desktop has a use-after-free condition in which an item in a GList is
deleted and then dereferenced in a later loop iteration. This appears to have
been the result of a coding error upstream, and was later reverted. Debian
still has the buggy version of the code.

In Ubuntu, the buggy code caused the MATE application menu to vanish very soon
after clicking it. Desktop icons also vanished. I do not know if this is
happening to Debian or not, however since the buggy code is in Debian I
believe it's at least a risk even if it's not actively happening. This was
reported as https://launchpad.net/bugs/2013138

The following patch looks like it should be easily applicable to Debian, and
it solves the bug in Ubuntu:

diff --git a/libmate-desktop/mate-bg.c b/libmate-desktop/mate-bg.c
index 0f617fa..e535231 100644
--- a/libmate-desktop/mate-bg.c
+++ b/libmate-desktop/mate-bg.c
@@ -2002,19 +2002,18 @@ static gboolean
 blow_expensive_caches (gpointer data)
 {
 MateBG *bg = data;
-	GList *list;
+	GList *list, *next;

 bg->blow_caches_id = 0;

-	if (bg->file_cache) {
- for (list = bg->file_cache; list != NULL; list = list->next) {
- FileCacheEntry *ent = list->data;
+	for (list = bg->file_cache; list != NULL; list = next) {
+ FileCacheEntry *ent = list->data;
+ next = list->next;

- if (ent->type == PIXBUF) {
- file_cache_entry_delete (ent);
- bg->file_cache = g_list_delete_link (bg->file_cache,
- list);
- }
+ if (ent->type == PIXBUF) {
+ file_cache_entry_delete (ent);
+ bg->file_cache = g_list_delete_link (bg->file_cache,
+ list);
 }
 }



Patch source: https://git.mate-desktop.org/mate-desktop/commit/?id=7b379f54a5b09df007f7e84dabbbc5f8ce9381a9

(And yes, I do realize that is formatted horribly, but that's what upstream
MATE's website gave me. I think it trimmed off a bunch of preceeding
whitespace for some reason.)

-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-32-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libmate-desktop-2-17 depends on:
ii  iso-codes                 4.9.0-1
ii  libatk1.0-0               2.36.0-3build1
ii  libc6                     2.35-0ubuntu3.1
ii  libcairo2                 1.16.0-5ubuntu2
ii  libdconf1                 0.40.0-3
ii  libgdk-pixbuf-2.0-0       2.42.8+dfsg-1ubuntu0.2
ii  libglib2.0-0              2.72.4-0ubuntu1
ii  libgtk-3-0                3.24.33-1ubuntu2
ii  libpango-1.0-0            1.50.6+ds-2ubuntu1
ii  libstartup-notification0  0.12-6build2
ii  libx11-6                  2:1.7.5-1
ii  libxrandr2                2:1.5.2-1build1

libmate-desktop-2-17 recommends no packages.

libmate-desktop-2-17 suggests no packages.

--- End Message ---
--- Begin Message --- 
Source: mate-desktop
Source-Version: 1.26.0-2
Done: Mike Gabriel <sunweaver@debian.org>

We believe that the bug you reported is fixed in the latest version of
mate-desktop, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated mate-desktop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 25 Apr 2023 16:35:44 +0200
Source: mate-desktop
Architecture: source
Version: 1.26.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1033719
Changes:
 mate-desktop (1.26.0-2) unstable; urgency=medium
 .
   * debian/patches:
     + Trivial rebase of 001_prefer-x-terminal-emulator.patch.
     + Add patches 0001 and 0002. Fix two memory leaks.
     + Add patch 0003 fix use-after-free issue. (Closes: #1033719).
   * debian/control:
     + In bin:pkg libmate-desktop-dev switch from libgdk-pixbuf2.0-dev
       (deprecated) to libgdk-pixbuf-2.0-dev. Thanks, lintian.
   * debian/copyright:
     + Update copyright attribution for debian/ folder.
Checksums-Sha1:
 fec732cb87c66e18f82baa9985b808a122313540 2929 mate-desktop_1.26.0-2.dsc
 1bff22e142f7e6ed8266fda22a0c16db0377e0ba 13868 mate-desktop_1.26.0-2.debian.tar.xz
 987406fe98446eb7c70653e97a7387dc8a5706b3 16415 mate-desktop_1.26.0-2_source.buildinfo
Checksums-Sha256:
 67a254686dcd7079817ea2b0aade6ba32e7fbe432b8819c40463636e92bae73d 2929 mate-desktop_1.26.0-2.dsc
 ba48547456660b17e146ef5fd642aa5e7cddf9dd7f075b43a805af494aede1b3 13868 mate-desktop_1.26.0-2.debian.tar.xz
 960c2bfb6429aadf0b6dde42fa850a236f2713405ba620972f6fd06f4ffb6ba1 16415 mate-desktop_1.26.0-2_source.buildinfo
Files:
 a3281ed59ea84f28fdab3dd1599cccda 2929 x11 optional mate-desktop_1.26.0-2.dsc
 1f6eb1cddaa30fe57a203317ca77006d 13868 x11 optional mate-desktop_1.26.0-2.debian.tar.xz
 d8231d7ba44f12f1722a6623d8bea18d 16415 x11 optional mate-desktop_1.26.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmRH6YQVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx97gP/2nbkA4R/N5+sbkWw/FxtAqLMbBt
hqIy5hbjKSF1Q94g8clz+htw33vAfz17e8rKlUyDAxl1XYRftNcW+Ab0uvsJg3E9
/uGLWaca8WZ8r8oBVmTvyRuCPkqQY89oEHKPjvKbDivEiIggfKAYZCKJ2Oam8nT3
tiJZ1E3/zHj1GL9HHcjYc4jhNvSgpS+X/SPQqGZMyDKd7iwbYMgL6cpA5gNq7tmV
DV7v2gTHJ0zVqKR5qbJK7lS8mWUXBU/CwKIvWRlgDiuHnSuELQanDnOdbUQ3ZKX+
oWZSyaEN9VbU8rgEr1KegcUZ55IO5eAJV4z1ogjZ+azquXOW+mEt/1t81rONj/SD
o5hB3WMlSmTz8T5n3a37xj4Kbw3eCngI1z2Dn1ThRxuKuCh3eVApZ+8ze3T6Ytv1
KLOJ7OE2OKzmDPahzarIFQOYRYmAT3t8wn+0nnCcCsiynCE4UEqDwtuAknc7632L
yCyJNmtjxfypK/OeDcaAfGoE5ImTvtgoG8J30cf8KefHuYrpWfh+uWWEeDwQb72E
1Vdmx76uHrSZwpuqB5AQHGCXQF8dI8C9woQGOs4/9PxaCr1bEdM9oDp6tSd4zb4c
CWk//mJfbGnf97eG69yHqsHtaf+zeRfIWXQmq5FB+TMEK5FH/YClDFtHvzJVJ9S6
x7BGikQnF4R317TD
=ZlcL
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: