--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package gnome-desktop3. This fixes #928732 (CVE-2019-11460)
which is a flaw in some intended security hardening: essentially the same
bug as #925541 in flatpak and #928054 in nautilus.
unblock gnome-desktop3/3.30.2.1-2
Thanks,
smcv
diffstat for gnome-desktop3-3.30.2.1 gnome-desktop3-3.30.2.1
changelog | 15 ++++++
gbp.conf | 4 -
patches/series | 1
patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch | 29 +++++++++++++
watch | 2
5 files changed, 48 insertions(+), 3 deletions(-)
diff -Nru gnome-desktop3-3.30.2.1/debian/changelog gnome-desktop3-3.30.2.1/debian/changelog
--- gnome-desktop3-3.30.2.1/debian/changelog 2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/changelog 2019-06-03 23:16:42.000000000 +0100
@@ -1,3 +1,18 @@
+gnome-desktop3 (3.30.2.1-2) unstable; urgency=medium
+
+ * Team upload
+ * d/gbp.conf: Configure branches for Debian buster and GNOME 3.30.x
+ * d/watch: Only watch for 3.30.x versions
+ * d/p/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch:
+ Import the only non-build-system change from upstream release 3.30.2.3
+ to fix incomplete TIOCSTI ioctl filtering, which could be a vector for
+ privilege escalation if a thumbnailer with a security vulnerability is
+ run on a crafted malicious image by a program that uses libgnome-desktop
+ and was run from an interactive terminal.
+ (Closes: #928732, CVE-2019-11460)
+
+ -- Simon McVittie <smcv@debian.org> Mon, 03 Jun 2019 23:16:42 +0100
+
gnome-desktop3 (3.30.2.1-1) unstable; urgency=medium
* New upstream release
diff -Nru gnome-desktop3-3.30.2.1/debian/gbp.conf gnome-desktop3-3.30.2.1/debian/gbp.conf
--- gnome-desktop3-3.30.2.1/debian/gbp.conf 2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/gbp.conf 2019-06-03 23:16:42.000000000 +0100
@@ -1,7 +1,7 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
-upstream-branch = upstream/latest
+debian-branch = debian/buster
+upstream-branch = upstream/3.30.x
upstream-vcs-tag = %(version)s
[buildpackage]
diff -Nru gnome-desktop3-3.30.2.1/debian/patches/series gnome-desktop3-3.30.2.1/debian/patches/series
--- gnome-desktop3-3.30.2.1/debian/patches/series 2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/patches/series 2019-06-03 23:16:42.000000000 +0100
@@ -0,0 +1 @@
+thumbnailer-fix-incomplete-TIOCSTI-filtering.patch
diff -Nru gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch
--- gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch 2019-06-03 23:16:42.000000000 +0100
@@ -0,0 +1,29 @@
+From: Michael Catanzaro <mcatanzaro@igalia.com>
+Date: Sat, 13 Apr 2019 13:57:36 -0500
+Subject: thumbnailer: fix incomplete TIOCSTI filtering
+
+Fixes #112
+
+See also: https://github.com/flatpak/flatpak/issues/2782
+
+Origin: upstream, 3.30.2.2, commit:83949ed5800ec99953f5ee8d2bf8b90a69daa850
+Bug: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928732
+Bug-CVE: CVE-2019-11460
+---
+ libgnome-desktop/gnome-desktop-thumbnail-script.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgnome-desktop/gnome-desktop-thumbnail-script.c b/libgnome-desktop/gnome-desktop-thumbnail-script.c
+index 9468b51..3b3d1ea 100644
+--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
++++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
+@@ -343,7 +343,7 @@ setup_seccomp (GPtrArray *argv_array,
+ {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+
+ /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+- {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
++ {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
+ };
+
+ struct
diff -Nru gnome-desktop3-3.30.2.1/debian/watch gnome-desktop3-3.30.2.1/debian/watch
--- gnome-desktop3-3.30.2.1/debian/watch 2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/watch 2019-06-03 23:16:42.000000000 +0100
@@ -1,3 +1,3 @@
version=4
-https://download.gnome.org/sources/gnome-desktop/([\d\.]+[02468])/ \
+https://download.gnome.org/sources/gnome-desktop/(3\.30)/ \
gnome-desktop@ANY_VERSION@\.tar\.xz
--- End Message ---