[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#731343: pu: package gtk+3.0/3.4.2-7

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I’d like to upload an update (prepared by Raphaël) for gtk+3.0, which is 
necessary in order to fix librsvg’s CVE-2013-1881.

Thanks for considering.
-- 
Josselin Mouette

Index: debian/changelog
===================================================================
--- debian/changelog	(révision 40301)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,11 @@
+gtk+3.0 (3.4.2-7) stable; urgency=low
+
+  [ Raphaël Geissert ]
+  * Workaround new behaviour of librsvg (which implemented an origin
+    policy) by loading the file icon via a data: URI.
+
+ -- Josselin Mouette <joss@debian.org>  Wed, 04 Dec 2013 14:06:28 +0100
+
 gtk+3.0 (3.4.2-6) unstable; urgency=low
 
   * Team upload.
Index: debian/patches/001_use_data_uris_for_symbolic_icons.patch
===================================================================
--- debian/patches/001_use_data_uris_for_symbolic_icons.patch	(révision 0)
+++ debian/patches/001_use_data_uris_for_symbolic_icons.patch	(copie de travail)
@@ -0,0 +1,37 @@
+Index: gtk+3.0-3.4.2/gtk/gtkicontheme.c
+===================================================================
+--- gtk+3.0-3.4.2.orig/gtk/gtkicontheme.c	2012-05-02 14:46:50.000000000 +0200
++++ gtk+3.0-3.4.2/gtk/gtkicontheme.c	2013-11-27 14:16:27.393901153 +0100
+@@ -3170,6 +3170,8 @@ _gtk_icon_info_load_symbolic_internal (G
+   GdkPixbuf *pixbuf;
+   gchar *data;
+   gchar *success, *warning, *err;
++  gchar *file_data, *escaped_file_data;
++  gsize file_len;
+ 
+   /* css_fg can't possibly have failed, otherwise
+    * that would mean we have a broken style */
+@@ -3193,6 +3195,11 @@ _gtk_icon_info_load_symbolic_internal (G
+       err = gdk_color_to_css (&error_default_color);
+     }
+ 
++  if (!g_file_get_contents (icon_info->filename, &file_data, &file_len, NULL))
++    return NULL;
++
++  escaped_file_data = g_markup_escape_text (file_data, file_len);
++  g_free (file_data);
+ 
+   data = g_strconcat ("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n"
+                       "<svg version=\"1.1\"\n"
+@@ -3214,9 +3221,10 @@ _gtk_icon_info_load_symbolic_internal (G
+                       "      fill: ", css_success ? css_success : success," !important;\n"
+                       "    }\n"
+                       "  </style>\n"
+-                      "  <xi:include href=\"", icon_info->filename, "\"/>\n"
++                      "  <xi:include href=\"data:text/xml,", escaped_file_data, "\"/>\n"
+                       "</svg>",
+                       NULL);
++  g_free (escaped_file_data);
+   g_free (warning);
+   g_free (err);
+   g_free (success);
Index: debian/patches/series
===================================================================
--- debian/patches/series	(révision 40301)
+++ debian/patches/series	(copie de travail)
@@ -1,3 +1,4 @@
+001_use_data_uris_for_symbolic_icons.patch
 015_default-fallback-icon-theme.patch
 016_no_offscreen_widgets_grabbing.patch
 017_no_offscreen_device_grabbing.patch
Reply to: