[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#986114: marked as done (unblock: gnome-session/3.38.0-4)

Your message dated Sat, 3 Apr 2021 07:04:02 +0200
with message-id <527389e8-96e4-a4dc-c5f7-90b55c47bd90@debian.org>
and subject line Re: Bug#986114: unblock: gnome-session/3.38.0-4
has caused the Debian Bug report #986114,
regarding unblock: gnome-session/3.38.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986114
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-gtk-gnome@lists.debian.org

Please unblock package gnome-session.

[ Reason ]
* Remove NOTIFY_SOCKET, XDG_SEAT, XDG_SESSION_ID, XDG_VTNR from
  systemd activation environment on startup (#973474, RC)
* Don't prepend /usr/share/gnome to XDG_DATA_DIRS if already present
  (LP: #1764355, no Debian bug)
* Avoid a stack overflow if environment variables are very long
  (from upstream, no Debian bug)
* Bump meson build-dependency to the version required by upstream
  (not really relevant for bullseye since we already have that version,
  but might be useful if people backport this package or use it in
  other distros)

[ Impact ]
* If we do not remove XDG_SESSION_ID from the systemd activation
  environment, it can be "leaked" into our environment from a previous
  Cinnamon or MATE login, causing GNOME Shell's lock screen to be
  impossible to unlock (#973474). I think this is really a Cinnamon
  and MATE bug (cloned as #986099, #986100) but working around it here
  will make the overall system more robust.
* If we prepend /usr/share/gnome to XDG_DATA_DIRS redundantly, it
  can apparently cause Electron apps to crash
* Capturing groups in the regular expression match can cause gnome-session
  to crash, in particular for fish(1) users who set LS_COLORS

[ Tests ]
Manual testing: I use GNOME daily.

I reproduced RC bug #973474 in a test VM and confirmed that this change
avoids it.

[ Risks ]
This is a high-visibility package, but the changes are narrowly-targeted.
We can revert them if we need to.

#973474 is RC, so we need to deal with it one way or another, and the
other changes were already tested in Ubuntu.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock gnome-session/3.38.0-4

diffstat for gnome-session-3.38.0 gnome-session-3.38.0

 55gnome-session_gnomerc                                                 |    2 
 changelog                                                               |   31 +++++++
 control                                                                 |    2 
 control.in                                                              |    2 
 patches/series                                                          |    2 
 patches/util-Disable-capturing-of-subpatterns.patch                     |   40 ++++++++++
 patches/util-Remove-undesired-variables-from-activation-environme.patch |   35 ++++++++
 7 files changed, 111 insertions(+), 3 deletions(-)

diff -Nru gnome-session-3.38.0/debian/55gnome-session_gnomerc gnome-session-3.38.0/debian/55gnome-session_gnomerc
--- gnome-session-3.38.0/debian/55gnome-session_gnomerc	2020-12-04 11:24:31.000000000 +0000
+++ gnome-session-3.38.0/debian/55gnome-session_gnomerc	2021-03-29 14:21:00.000000000 +0100
@@ -15,7 +15,7 @@
     # to /etc so it is configurable.
     if [ -z "$XDG_DATA_DIRS" ]; then
       XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share/:/usr/share/
-    else
+    elif [ -n "${XDG_DATA_DIRS##*/usr/share/gnome*}" ]; then
       XDG_DATA_DIRS=/usr/share/gnome:"$XDG_DATA_DIRS"
     fi
     export XDG_DATA_DIRS
diff -Nru gnome-session-3.38.0/debian/changelog gnome-session-3.38.0/debian/changelog
--- gnome-session-3.38.0/debian/changelog	2020-12-04 11:24:31.000000000 +0000
+++ gnome-session-3.38.0/debian/changelog	2021-03-29 14:21:00.000000000 +0100
@@ -1,3 +1,34 @@
+gnome-session (3.38.0-4) unstable; urgency=medium
+
+  * Team upload
+
+  [ Marco Trevisan (Treviño) ]
+  * debian/control: Bump dependency on meson 0.53 as per upstream
+  * d/p/util-Disable-capturing-of-subpatterns.patch:
+    Cherry-pick upstream patch fixing a stack overflow when environment
+    variables have very long values, in particular when using fish and
+    LS_COLORS
+
+  [ Didier Roche ]
+  * debian/55gnome-session_gnomerc:
+    Protect against multiple additions of the same path.
+    Do not append the same path to XDG_DATA_DIRS, resulting to duplication
+    on consecutive logout/logins due to an older session lingering and the
+    environment being reused. One consequence is that Electron applications
+    crash (LP: #1764355)
+
+  [ Simon McVittie ]
+  * d/patches: Turn upstream bug reference into a URL
+  * d/patches: Actively remove undesired variables from activation
+    environment.
+    This works around bugs in cinnamon-session and mate-session-manager,
+    which do not yet have an equivalent of gnome-session's variable_blacklist
+    and so will upload login-session-specific variables like XDG_SESSION_ID
+    into `dbus-daemon --session` and, indirectly, `systemd --user`.
+    (Closes: #973474)
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 29 Mar 2021 14:21:00 +0100
+
 gnome-session (3.38.0-3) unstable; urgency=medium
 
   * Team upload
diff -Nru gnome-session-3.38.0/debian/control gnome-session-3.38.0/debian/control
--- gnome-session-3.38.0/debian/control	2020-12-04 11:24:31.000000000 +0000
+++ gnome-session-3.38.0/debian/control	2021-03-29 14:21:00.000000000 +0100
@@ -27,7 +27,7 @@
                libxrender-dev,
                libxt-dev,
                libxtst-dev,
-               meson (>= 0.43.0),
+               meson (>= 0.53.0),
                systemd [linux-any],
                xmlto,
                xsltproc,
diff -Nru gnome-session-3.38.0/debian/control.in gnome-session-3.38.0/debian/control.in
--- gnome-session-3.38.0/debian/control.in	2020-12-04 11:24:31.000000000 +0000
+++ gnome-session-3.38.0/debian/control.in	2021-03-29 14:21:00.000000000 +0100
@@ -23,7 +23,7 @@
                libxrender-dev,
                libxt-dev,
                libxtst-dev,
-               meson (>= 0.43.0),
+               meson (>= 0.53.0),
                systemd [linux-any],
                xmlto,
                xsltproc,
diff -Nru gnome-session-3.38.0/debian/patches/series gnome-session-3.38.0/debian/patches/series
--- gnome-session-3.38.0/debian/patches/series	2020-12-04 11:24:31.000000000 +0000
+++ gnome-session-3.38.0/debian/patches/series	2021-03-29 14:21:00.000000000 +0100
@@ -12,5 +12,7 @@
 main-Use-already-defined-error-from-main-function.patch
 main-Warn-about-failures-to-update-the-environment.patch
 util-Never-try-to-autostart-systemd.patch
+util-Disable-capturing-of-subpatterns.patch
+util-Remove-undesired-variables-from-activation-environme.patch
 debian/Revert-main-Remove-GNOME_DESKTOP_SESSION_ID-envvar.patch
 debian/Make-sure-to-pass-systemd-when-we-re-managing-the-user-se.patch
diff -Nru gnome-session-3.38.0/debian/patches/util-Disable-capturing-of-subpatterns.patch gnome-session-3.38.0/debian/patches/util-Disable-capturing-of-subpatterns.patch
--- gnome-session-3.38.0/debian/patches/util-Disable-capturing-of-subpatterns.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnome-session-3.38.0/debian/patches/util-Disable-capturing-of-subpatterns.patch	2021-03-29 14:21:00.000000000 +0100
@@ -0,0 +1,40 @@
+From: Benjamin Berg <bberg@redhat.com>
+Date: Sun, 10 Jan 2021 19:26:07 +0100
+Subject: util: Disable capturing of subpatterns
+
+It seems that the pattern we use will create a subpattern match for
+every character of the value. This appears to then result in a stack
+overflow when matching very long values.
+
+It might be an idea to limit the overall length of an environment
+variable that is uploaded. But, this should fix the issue of crashes.
+
+Bug: https://gitlab.gnome.org/GNOME/gnome-session/-/issues/42
+Origin: https://gitlab.gnome.org/GNOME/gnome-session/-/commit/3b57d117f78
+Applied-Upstream: 40
+---
+ gnome-session/gsm-util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gnome-session/gsm-util.c b/gnome-session/gsm-util.c
+index 070fa75..cdf6761 100644
+--- a/gnome-session/gsm-util.c
++++ b/gnome-session/gsm-util.c
+@@ -550,7 +550,7 @@ gsm_util_export_activation_environment (GError     **error)
+                 return FALSE;
+         }
+ 
+-        value_regex = g_regex_new ("^([ \t\n]|[^[:cntrl:]])*$", G_REGEX_OPTIMIZE, 0, error);
++        value_regex = g_regex_new ("^(?:[ \t\n]|[^[:cntrl:]])*$", G_REGEX_OPTIMIZE, 0, error);
+ 
+         if (value_regex == NULL) {
+                 return FALSE;
+@@ -630,7 +630,7 @@ gsm_util_export_user_environment (GError     **error)
+                 return FALSE;
+         }
+ 
+-        regex = g_regex_new ("^[a-zA-Z_][a-zA-Z0-9_]*=([ \t\n]|[^[:cntrl:]])*$", G_REGEX_OPTIMIZE, 0, error);
++        regex = g_regex_new ("^[a-zA-Z_][a-zA-Z0-9_]*=(?:[ \t\n]|[^[:cntrl:]])*$", G_REGEX_OPTIMIZE, 0, error);
+ 
+         if (regex == NULL) {
+                 return FALSE;
diff -Nru gnome-session-3.38.0/debian/patches/util-Remove-undesired-variables-from-activation-environme.patch gnome-session-3.38.0/debian/patches/util-Remove-undesired-variables-from-activation-environme.patch
--- gnome-session-3.38.0/debian/patches/util-Remove-undesired-variables-from-activation-environme.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnome-session-3.38.0/debian/patches/util-Remove-undesired-variables-from-activation-environme.patch	2021-03-29 14:21:00.000000000 +0100
@@ -0,0 +1,35 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Mon, 29 Mar 2021 12:49:35 +0100
+Subject: util: Remove undesired variables from activation environment
+
+Commit 646b9bc0 (included in 3.33.92) prevented one run of gnome-session
+from uploading environment variables into `systemd --user` that should not
+leak into a different login session, such as XDG_SESSION_ID. However,
+non-GNOME session managers (and in particular the forks of gnome-session
+found in Cinnamon and MATE) might still upload those environment variables.
+
+The other session managers should be fixed, similar to 646b9bc0, but we
+can mitigate this for GNOME sessions by actively unsetting the undesired
+variables, instead of just not setting them.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Bug: https://gitlab.gnome.org/GNOME/gnome-session/-/issues/86
+Bug-Debian: https://bugs.debian.org/973474
+Forwarded: https://gitlab.gnome.org/GNOME/gnome-session/-/merge_requests/63
+---
+ gnome-session/gsm-util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gnome-session/gsm-util.c b/gnome-session/gsm-util.c
+index cdf6761..7dc4f26 100644
+--- a/gnome-session/gsm-util.c
++++ b/gnome-session/gsm-util.c
+@@ -646,6 +646,8 @@ gsm_util_export_user_environment (GError     **error)
+         g_variant_builder_open (&builder, G_VARIANT_TYPE ("as"));
+         for (i = 0; variable_unsetlist[i] != NULL; i++)
+                 g_variant_builder_add (&builder, "s", variable_unsetlist[i]);
++        for (i = 0; variable_blacklist[i] != NULL; i++)
++                g_variant_builder_add (&builder, "s", variable_blacklist[i]);
+         g_variant_builder_close (&builder);
+ 
+         g_variant_builder_open (&builder, G_VARIANT_TYPE ("as"));

--- End Message ---
--- Begin Message --- 
Hi Simon,

On 29-03-2021 20:15, Simon McVittie wrote:
> Please unblock package gnome-session.

Unblocked.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: