Bug#731343: pu: package gtk+3.0/3.4.2-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I’d like to upload an update (prepared by Raphaël) for gtk+3.0, which is
necessary in order to fix librsvg’s CVE-2013-1881.
Thanks for considering.
--
Josselin Mouette
Index: debian/changelog
===================================================================
--- debian/changelog (révision 40301)
+++ debian/changelog (copie de travail)
@@ -1,3 +1,11 @@
+gtk+3.0 (3.4.2-7) stable; urgency=low
+
+ [ Raphaël Geissert ]
+ * Workaround new behaviour of librsvg (which implemented an origin
+ policy) by loading the file icon via a data: URI.
+
+ -- Josselin Mouette <joss@debian.org> Wed, 04 Dec 2013 14:06:28 +0100
+
gtk+3.0 (3.4.2-6) unstable; urgency=low
* Team upload.
Index: debian/patches/001_use_data_uris_for_symbolic_icons.patch
===================================================================
--- debian/patches/001_use_data_uris_for_symbolic_icons.patch (révision 0)
+++ debian/patches/001_use_data_uris_for_symbolic_icons.patch (copie de travail)
@@ -0,0 +1,37 @@
+Index: gtk+3.0-3.4.2/gtk/gtkicontheme.c
+===================================================================
+--- gtk+3.0-3.4.2.orig/gtk/gtkicontheme.c 2012-05-02 14:46:50.000000000 +0200
++++ gtk+3.0-3.4.2/gtk/gtkicontheme.c 2013-11-27 14:16:27.393901153 +0100
+@@ -3170,6 +3170,8 @@ _gtk_icon_info_load_symbolic_internal (G
+ GdkPixbuf *pixbuf;
+ gchar *data;
+ gchar *success, *warning, *err;
++ gchar *file_data, *escaped_file_data;
++ gsize file_len;
+
+ /* css_fg can't possibly have failed, otherwise
+ * that would mean we have a broken style */
+@@ -3193,6 +3195,11 @@ _gtk_icon_info_load_symbolic_internal (G
+ err = gdk_color_to_css (&error_default_color);
+ }
+
++ if (!g_file_get_contents (icon_info->filename, &file_data, &file_len, NULL))
++ return NULL;
++
++ escaped_file_data = g_markup_escape_text (file_data, file_len);
++ g_free (file_data);
+
+ data = g_strconcat ("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n"
+ "<svg version=\"1.1\"\n"
+@@ -3214,9 +3221,10 @@ _gtk_icon_info_load_symbolic_internal (G
+ " fill: ", css_success ? css_success : success," !important;\n"
+ " }\n"
+ " </style>\n"
+- " <xi:include href=\"", icon_info->filename, "\"/>\n"
++ " <xi:include href=\"data:text/xml,", escaped_file_data, "\"/>\n"
+ "</svg>",
+ NULL);
++ g_free (escaped_file_data);
+ g_free (warning);
+ g_free (err);
+ g_free (success);
Index: debian/patches/series
===================================================================
--- debian/patches/series (révision 40301)
+++ debian/patches/series (copie de travail)
@@ -1,3 +1,4 @@
+001_use_data_uris_for_symbolic_icons.patch
015_default-fallback-icon-theme.patch
016_no_offscreen_widgets_grabbing.patch
017_no_offscreen_device_grabbing.patch
Reply to: