[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1076609: bullseye-pu: package gtk+3.0/3.24.24-4+deb11u4

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+3.0@packages.debian.org, security@debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:gtk+3.0

[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.

[ Impact ]
If not fixed, GTK 3 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 3 app is run from /tmp or a similarly attacker-controlled
directory.

[ Tests ]
Briefly tested in a Debian 11 GNOME VM, no obvious regression.

In the GTK 3 currently in bullseye, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk3-widget-factory`
shows signs of attempting to load ./libfoobar.so:

stat("libfoobar.so", 0x7ffd2beebe80)    = -1 ENOENT (No such file or directory)
stat("libfoobar.so.so", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.la", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory)

(gtk3-widget-factory is a sample GTK 3 application, from gtk-3-examples.)

In the proposed version, this no longer happens.

[ Risks ]
Low risk, straightforward backport of a targeted security fix.

One risk here is that Debian 11.11 is intended to be its last scheduled
point release, so if this somehow causes a regression, there will be no
more point releases in which the regression can be fixed, and it will
be up to the LTS team to deal with the fallout.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are part of the vulnerability fix.

[ Other info ]
GTK 3 produces udebs, so officially it needs a d-i ack (debian-boot cc'd
for this); but in practice the graphical installer is still using GTK 2
even in testing/unstable, so I believe it would be OK to ship this
change without waiting for the d-i team's approval.

diffstat for gtk+3.0-3.24.24 gtk+3.0-3.24.24

 debian/changelog                                     |    8 ++++
 debian/patches/Stop-looking-for-modules-in-cwd.patch |   33 +++++++++++++++++++
 debian/patches/series                                |    1 
 gtk/gtkmodules.c                                     |    9 +----
 4 files changed, 44 insertions(+), 7 deletions(-)

diff -Nru gtk+3.0-3.24.24/debian/changelog gtk+3.0-3.24.24/debian/changelog
--- gtk+3.0-3.24.24/debian/changelog	2023-02-24 19:07:01.000000000 +0000
+++ gtk+3.0-3.24.24/debian/changelog	2024-07-19 14:30:18.000000000 +0100
@@ -1,3 +1,11 @@
+gtk+3.0 (3.24.24-4+deb11u4) bullseye; urgency=medium
+
+  * d/p/Stop-looking-for-modules-in-cwd.patch:
+    Add patch backported from 3.24.43 to avoid looking for modules in
+    current working directory (CVE-2024-6655)
+
+ -- Simon McVittie <smcv@debian.org>  Fri, 19 Jul 2024 14:30:18 +0100
+
 gtk+3.0 (3.24.24-4+deb11u3) bullseye; urgency=medium
 
   * d/p/gdk_wayland_display_init_gl-use-GLES-API-if-required.patch:
diff -Nru gtk+3.0-3.24.24/debian/patches/series gtk+3.0-3.24.24/debian/patches/series
--- gtk+3.0-3.24.24/debian/patches/series	2023-02-24 19:07:01.000000000 +0000
+++ gtk+3.0-3.24.24/debian/patches/series	2024-07-19 14:30:18.000000000 +0100
@@ -27,3 +27,4 @@
 Don-t-try-to-create-local-cups-printers-before-CUPS-2.2.patch
 debian/cups-Use-the-same-name-mangling-as-Debian-11-s-cups-brows.patch
 gdk_wayland_display_init_gl-use-GLES-API-if-required.patch
+Stop-looking-for-modules-in-cwd.patch
diff -Nru gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch
--- gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch	1970-01-01 01:00:00.000000000 +0100
+++ gtk+3.0-3.24.24/debian/patches/Stop-looking-for-modules-in-cwd.patch	2024-07-19 14:30:18.000000000 +0100
@@ -0,0 +1,33 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Bug: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Bug-CVE: CVE-2024-6655
+Origin: upstream, 3.24.43, commit:https://gitlab.gnome.org/GNOME/gtk/-/commit/3bbf0b6176d42836d23c36a6ac410e807ec0a7a7
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412..f93101c 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
diff -Nru gtk+3.0-3.24.24/gtk/gtkmodules.c gtk+3.0-3.24.24/gtk/gtkmodules.c
--- gtk+3.0-3.24.24/gtk/gtkmodules.c	2020-12-02 22:21:56.000000000 +0000
+++ gtk+3.0-3.24.24/gtk/gtkmodules.c	2024-07-19 15:46:41.000000000 +0100
@@ -214,13 +214,8 @@
   gchar *module_name;
 
   module_name = _gtk_find_module (name, "modules");
-  if (!module_name)
-    {
-      /* As last resort, try loading without an absolute path (using system
-       * library path)
-       */
-      module_name = g_module_build_path (NULL, name);
-    }
+  if (module_name == NULL)
+    return NULL;
 
   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
Reply to: