[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929705: marked as done (unblock: nautilus/3.30.5-2)

Your message dated Wed, 29 May 2019 17:13:00 +0000
with message-id <1b23756f-5ad5-4f5a-bb24-1bbff75f9ec3@thykier.net>
and subject line Re: Bug#929705: unblock: nautilus/3.30.5-2
has caused the Debian Bug report #929705,
regarding unblock: nautilus/3.30.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929705
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nautilus.

Nautilus contains an embedded copy of the thumbnailing code from
`gnome-desktop3'. This has received several updates upstream, which it'd
be great to get into buster. Here's my changelog entry, to avoid
repeating myself too much:

  * Update gnome-desktop code. Nautilus contains a copy of this code,
    which originated in gnome-desktop3.
      + Fixes a potential crash during thumbnailing
      + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
      + Also improves handling of usrmerged and non-usrmerged systems.
      + Mounts the fontconfig cache dir, to improve performance if fontconfig
        is used
        - Add a corresponding BD on libfontconfig1-dev, to fetch the needed
          variable from its pcfile.
      + Fixes seccomp filter bypass. CVE-2019-11461
      + Closes: #928054

I don't actually know how the CVE could be triggered from Nautilus, but
it got 'medium' severity and a request from the security team to be
fixed. That's the main reason for this upload, but there are also other
important fixes in this code too. I'd be grateful if you could consider
it for buster.

unblock nautilus/3.30.5-2

Cheers,

-- 
Iain Lane                                  [ iain@orangesquash.org.uk ]
Debian Developer                                   [ laney@debian.org ]
Ubuntu Developer                                   [ laney@ubuntu.com ]

diff -Nru nautilus-3.30.5/debian/changelog nautilus-3.30.5/debian/changelog
--- nautilus-3.30.5/debian/changelog	2018-12-22 13:53:04.000000000 +0000
+++ nautilus-3.30.5/debian/changelog	2019-05-29 12:47:33.000000000 +0100
@@ -1,3 +1,20 @@
+nautilus (3.30.5-2) unstable; urgency=medium
+
+  * debian/control{,.in}, gbp.conf: Update debian branch to debian/buster
+  * Update gnome-desktop code. Nautilus contains a copy of this code,
+    which originated in gnome-desktop3.
+      + Fixes a potential crash during thumbnailing
+      + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
+      + Also improves handling of usrmerged and non-usrmerged systems.
+      + Mounts the fontconfig cache dir, to improve performance if fontconfig
+        is used
+        - Add a corresponding BD on libfontconfig1-dev, to fetch the needed
+          variable from its pcfile.
+      + Fixes seccomp filter bypass. CVE-2019-11461
+      + Closes: #928054
+
+ -- Iain Lane <laney@debian.org>  Wed, 29 May 2019 12:47:33 +0100
+
 nautilus (3.30.5-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru nautilus-3.30.5/debian/control nautilus-3.30.5/debian/control
--- nautilus-3.30.5/debian/control	2018-12-22 13:53:04.000000000 +0000
+++ nautilus-3.30.5/debian/control	2019-05-29 12:47:33.000000000 +0100
@@ -15,6 +15,7 @@
                gobject-introspection (>= 0.9.12-4~),
                gtk-doc-tools (>= 1.10),
                libatk1.0-dev (>= 1.32.0),
+               libfontconfig1-dev,
                libgail-3-dev,
                libgexiv2-dev (>= 0.10.0),
                libgirepository1.0-dev (>= 0.10.7-1~),
@@ -41,7 +42,7 @@
 Rules-Requires-Root: no
 Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus
 Vcs-Browser: https://salsa.debian.org/gnome-team/nautilus
-Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git
+Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git -b debian/buster
 Standards-Version: 4.2.1
 
 Package: nautilus
diff -Nru nautilus-3.30.5/debian/control.in nautilus-3.30.5/debian/control.in
--- nautilus-3.30.5/debian/control.in	2018-12-22 13:53:04.000000000 +0000
+++ nautilus-3.30.5/debian/control.in	2019-05-29 12:47:33.000000000 +0100
@@ -11,6 +11,7 @@
                gobject-introspection (>= 0.9.12-4~),
                gtk-doc-tools (>= 1.10),
                libatk1.0-dev (>= 1.32.0),
+               libfontconfig1-dev,
                libgail-3-dev,
                libgexiv2-dev (>= 0.10.0),
                libgirepository1.0-dev (>= 0.10.7-1~),
@@ -37,7 +38,7 @@
 Rules-Requires-Root: no
 Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus
 Vcs-Browser: https://salsa.debian.org/gnome-team/nautilus
-Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git
+Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git -b debian/buster
 Standards-Version: 4.2.1
 
 Package: nautilus
diff -Nru nautilus-3.30.5/debian/gbp.conf nautilus-3.30.5/debian/gbp.conf
--- nautilus-3.30.5/debian/gbp.conf	2018-12-22 13:53:04.000000000 +0000
+++ nautilus-3.30.5/debian/gbp.conf	2019-05-29 12:47:33.000000000 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 upstream-vcs-tag = %(version)s
 
diff -Nru nautilus-3.30.5/debian/patches/Define-symbol-needed-for-gnome-desktop.patch nautilus-3.30.5/debian/patches/Define-symbol-needed-for-gnome-desktop.patch
--- nautilus-3.30.5/debian/patches/Define-symbol-needed-for-gnome-desktop.patch	1970-01-01 01:00:00.000000000 +0100
+++ nautilus-3.30.5/debian/patches/Define-symbol-needed-for-gnome-desktop.patch	2019-05-29 12:47:33.000000000 +0100
@@ -0,0 +1,47 @@
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Sun, 14 Apr 2019 13:28:06 +0100
+Subject: Define symbol needed for gnome-desktop
+
+The copy-paste of libgnome-desktop's thumbnailing code is missing a
+symbol that is defined by the libgnome-desktop build, which breaks
+Nautilus's own build.
+
+Origin: upstream, commit:08c6d9e6cdd903ae67c496ffd7ae3de4619c6f40
+---
+ meson.build | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/meson.build b/meson.build
+index 996360a..3db1dca 100644
+--- a/meson.build
++++ b/meson.build
+@@ -137,6 +137,8 @@ tracker_sparql = dependency('tracker-sparql-2.0')
+ x11 = dependency('x11')
+ xml = dependency('libxml-2.0', version: '>= 2.7.8')
+ 
++fontconfig = dependency('fontconfig', required: false)
++
+ ####################
+ # End dependencies #
+ ####################
+@@ -159,6 +161,12 @@ endif
+ 
+ application_id = 'org.gnome.Nautilus' + profile
+ 
++if fontconfig.found()
++  fontconfig_cache_path = fontconfig.get_pkgconfig_variable('cachedir')
++else
++  fontconfig_cache_path = join_paths(libdir, 'fontconfig/cache')
++endif
++
+ conf.set_quoted('APPLICATION_ID', application_id)
+ conf.set_quoted('GETTEXT_PACKAGE', 'nautilus')
+ conf.set_quoted('INSTALL_PREFIX', prefix)
+@@ -169,6 +177,7 @@ conf.set_quoted('NAUTILUS_EXTENSIONDIR', join_paths(prefix, extensiondir))
+ conf.set_quoted('PACKAGE_VERSION', meson.project_version())
+ conf.set_quoted('PROFILE', profile)
+ conf.set_quoted('VERSION', '@0@-@VCS_TAG@'.format(meson.project_version()))
++conf.set_quoted('FONTCONFIG_CACHE_PATH', fontconfig_cache_path)
+ 
+ ###################################################
+ # gnome-desktop macros for thumbnailer sandboxing #
diff -Nru nautilus-3.30.5/debian/patches/series nautilus-3.30.5/debian/patches/series
--- nautilus-3.30.5/debian/patches/series	2018-12-22 13:53:04.000000000 +0000
+++ nautilus-3.30.5/debian/patches/series	2019-05-29 12:47:33.000000000 +0100
@@ -1 +1,3 @@
 multiarch_fallback.patch
+Update-gnome-desktop-code.patch
+Define-symbol-needed-for-gnome-desktop.patch
diff -Nru nautilus-3.30.5/debian/patches/Update-gnome-desktop-code.patch nautilus-3.30.5/debian/patches/Update-gnome-desktop-code.patch
--- nautilus-3.30.5/debian/patches/Update-gnome-desktop-code.patch	1970-01-01 01:00:00.000000000 +0100
+++ nautilus-3.30.5/debian/patches/Update-gnome-desktop-code.patch	2019-05-29 12:47:33.000000000 +0100
@@ -0,0 +1,124 @@
+From: Ernestas Kulik <ekulik@redhat.com>
+Date: Sun, 14 Apr 2019 10:44:32 +0200
+Subject: Update gnome-desktop code
+
+Nautilus contains a copy of this code, originating in gnome-desktop3.
+
+Fixes a potential crash during thumbnailing
+
+Fixes thumbnailer on 32-bit systems where /lib64 is not available.  Also
+improve handling of usrmerged and non-usrmerged systems. (Related to LP:
+
+Fixes CVE-2019-11461
+
+Origin: upstream,commit:031b814d526895c612fae98ac75379e60469161b
+Applied-Upstream: 3.30.6
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928054
+---
+ src/gnome-desktop/gnome-desktop-thumbnail-script.c | 60 ++++++++++++++++++++--
+ src/gnome-desktop/gnome-desktop-thumbnail.c        |  2 +
+ 2 files changed, 57 insertions(+), 5 deletions(-)
+
+diff --git a/src/gnome-desktop/gnome-desktop-thumbnail-script.c b/src/gnome-desktop/gnome-desktop-thumbnail-script.c
+index 14e2fed..8e8b876 100644
+--- a/src/gnome-desktop/gnome-desktop-thumbnail-script.c
++++ b/src/gnome-desktop/gnome-desktop-thumbnail-script.c
+@@ -343,7 +343,7 @@ setup_seccomp (GPtrArray  *argv_array,
+     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ 
+     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+-    {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
++    {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
+   };
+ 
+   struct
+@@ -506,22 +506,72 @@ setup_seccomp (GPtrArray  *argv_array,
+ #endif
+ 
+ #ifdef HAVE_BWRAP
++static gboolean
++path_is_usrmerged (const char *dir)
++{
++  /* does /dir point to /usr/dir? */
++  g_autofree char *target = NULL;
++  GStatBuf stat_buf_src, stat_buf_target;
++
++  if (g_stat (dir, &stat_buf_src) < 0)
++    return FALSE;
++
++  target = g_strdup_printf ("/usr/%s", dir);
++
++  if (g_stat (target, &stat_buf_target) < 0)
++    return FALSE;
++
++  return (stat_buf_src.st_dev == stat_buf_target.st_dev) &&
++         (stat_buf_src.st_ino == stat_buf_target.st_ino);
++}
++
+ static gboolean
+ add_bwrap (GPtrArray   *array,
+ 	   ScriptExec  *script)
+ {
++  const char * const usrmerged_dirs[] = { "bin", "lib64", "lib", "sbin" };
++  int i;
++
+   g_return_val_if_fail (script->outdir != NULL, FALSE);
+   g_return_val_if_fail (script->s_infile != NULL, FALSE);
+ 
+   add_args (array,
+ 	    "bwrap",
+ 	    "--ro-bind", "/usr", "/usr",
+-	    "--ro-bind", "/lib", "/lib",
+-	    "--ro-bind", "/lib64", "/lib64",
++	    "--ro-bind", "/etc/ld.so.cache", "/etc/ld.so.cache",
++	    NULL);
++
++  /* These directories might be symlinks into /usr/... */
++  for (i = 0; i < G_N_ELEMENTS (usrmerged_dirs); i++)
++    {
++      g_autofree char *absolute_dir = g_strdup_printf ("/%s", usrmerged_dirs[i]);
++
++      if (!g_file_test (absolute_dir, G_FILE_TEST_EXISTS))
++        continue;
++
++      if (path_is_usrmerged (absolute_dir))
++        {
++          g_autofree char *symlink_target = g_strdup_printf ("/usr/%s", absolute_dir);
++
++          add_args (array,
++                    "--symlink", symlink_target, absolute_dir,
++                    NULL);
++        }
++      else
++        {
++          add_args (array,
++                    "--ro-bind", absolute_dir, absolute_dir,
++                    NULL);
++        }
++    }
++
++  /* fontconfig cache if necessary */
++  if (!g_str_has_prefix (FONTCONFIG_CACHE_PATH, "/usr/"))
++    add_args (array, "--ro-bind-try", FONTCONFIG_CACHE_PATH, FONTCONFIG_CACHE_PATH, NULL);
++
++  add_args (array,
+ 	    "--proc", "/proc",
+ 	    "--dev", "/dev",
+-	    "--symlink", "usr/bin", "/bin",
+-	    "--symlink", "usr/sbin", "/sbin",
+ 	    "--chdir", "/",
+ 	    "--setenv", "GIO_USE_VFS", "local",
+ 	    "--unshare-all",
+diff --git a/src/gnome-desktop/gnome-desktop-thumbnail.c b/src/gnome-desktop/gnome-desktop-thumbnail.c
+index b31bad5..566fbeb 100644
+--- a/src/gnome-desktop/gnome-desktop-thumbnail.c
++++ b/src/gnome-desktop/gnome-desktop-thumbnail.c
+@@ -969,6 +969,8 @@ get_preview_thumbnail (const char *uri,
+ 
+     object = g_file_info_get_attribute_object (file_info,
+                                                G_FILE_ATTRIBUTE_PREVIEW_ICON);
++    if (object)
++        g_object_ref (object);
+     g_object_unref (file_info);
+ 
+     if (!object)

--- End Message ---
--- Begin Message --- 
Iain Lane:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package nautilus.
> 
> Nautilus contains an embedded copy of the thumbnailing code from
> `gnome-desktop3'. This has received several updates upstream, which it'd
> be great to get into buster. Here's my changelog entry, to avoid
> repeating myself too much:
> 
>   * Update gnome-desktop code. Nautilus contains a copy of this code,
>     which originated in gnome-desktop3.
>       + Fixes a potential crash during thumbnailing
>       + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
>       + Also improves handling of usrmerged and non-usrmerged systems.
>       + Mounts the fontconfig cache dir, to improve performance if fontconfig
>         is used
>         - Add a corresponding BD on libfontconfig1-dev, to fetch the needed
>           variable from its pcfile.
>       + Fixes seccomp filter bypass. CVE-2019-11461
>       + Closes: #928054
> 
> I don't actually know how the CVE could be triggered from Nautilus, but
> it got 'medium' severity and a request from the security team to be
> fixed. That's the main reason for this upload, but there are also other
> important fixes in this code too. I'd be grateful if you could consider
> it for buster.
> 
> unblock nautilus/3.30.5-2
> 
> Cheers,
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: