fix CVE-2024-6655: Library injection from CWD
(cherry picked from commit e9aaf8940cef92451ab0bdc71ebacc4ef5c7dca4)
This commit is contained in:
Funda Wang
openeuler-sync-bot
parent
fbae73e012
commit
1d71f2f42c
34
CVE-2024-6655.patch
Normal file
34
CVE-2024-6655.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From: Matthias Clasen <mclasen@redhat.com>
|
||||||
|
Date: Sat, 15 Jun 2024 14:18:01 -0400
|
||||||
|
Subject: Stop looking for modules in cwd
|
||||||
|
|
||||||
|
This is just not a good idea. It is surprising, and can be misused.
|
||||||
|
|
||||||
|
Fixes: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
|
||||||
|
(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
|
||||||
|
|
||||||
|
Origin: gtk 3.24.43
|
||||||
|
---
|
||||||
|
gtk/gtkmodules.c | 9 ++-------
|
||||||
|
1 file changed, 2 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
|
||||||
|
index 50729b6..c0f0c30 100644
|
||||||
|
--- a/gtk/gtkmodules.c
|
||||||
|
+++ b/gtk/gtkmodules.c
|
||||||
|
@@ -229,13 +229,8 @@ find_module (const gchar *name)
|
||||||
|
gchar *module_name;
|
||||||
|
|
||||||
|
module_name = _gtk_find_module (name, "modules");
|
||||||
|
- if (!module_name)
|
||||||
|
- {
|
||||||
|
- /* As last resort, try loading without an absolute path (using system
|
||||||
|
- * library path)
|
||||||
|
- */
|
||||||
|
- module_name = g_module_build_path (NULL, name);
|
||||||
|
- }
|
||||||
|
+ if (module_name == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
|
||||||
|
module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
|
||||||
|
|
||||||
11
gtk2.spec
11
gtk2.spec
@ -6,9 +6,9 @@
|
|||||||
#Basic Information
|
#Basic Information
|
||||||
Name: gtk2
|
Name: gtk2
|
||||||
Version: 2.24.33
|
Version: 2.24.33
|
||||||
Release: 9
|
Release: 10
|
||||||
Summary: GTK+ graphical user interface library
|
Summary: GTK+ graphical user interface library
|
||||||
License: LGPLv2+
|
License: LGPL-2.0-or-later
|
||||||
URL: http://www.gtk.org
|
URL: http://www.gtk.org
|
||||||
Source: http://download.gnome.org/sources/gtk+/2.24/gtk+-%{version}.tar.xz
|
Source: http://download.gnome.org/sources/gtk+/2.24/gtk+-%{version}.tar.xz
|
||||||
Source2: im-cedilla.conf
|
Source2: im-cedilla.conf
|
||||||
@ -21,6 +21,8 @@ Patch1: icon-padding.patch
|
|||||||
Patch2: tooltip-positioning.patch
|
Patch2: tooltip-positioning.patch
|
||||||
# https://bugzilla.gnome.org/show_bug.cgi?id=611313
|
# https://bugzilla.gnome.org/show_bug.cgi?id=611313
|
||||||
Patch3: window-dragging.patch
|
Patch3: window-dragging.patch
|
||||||
|
# https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
|
||||||
|
Patch4: CVE-2024-6655.patch
|
||||||
|
|
||||||
#Dependency
|
#Dependency
|
||||||
BuildRequires: pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0
|
BuildRequires: pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0
|
||||||
@ -234,9 +236,12 @@ gtk-query-immodules-2.0-64 --update-cache
|
|||||||
%doc tmpdocs/tutorial
|
%doc tmpdocs/tutorial
|
||||||
%doc tmpdocs/faq
|
%doc tmpdocs/faq
|
||||||
%{_mandir}/man1/gtk-query-immodules-2.0*
|
%{_mandir}/man1/gtk-query-immodules-2.0*
|
||||||
%{_mandir}/man1/gtk-builder-convert.1.gz
|
%{_mandir}/man1/gtk-builder-convert.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 15 2024 Funda Wang <fundawang@yeah.net> - 2.24.33-10
|
||||||
|
- fix CVE-2024-6655: Library injection from CWD
|
||||||
|
|
||||||
* Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.33-9
|
* Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.33-9
|
||||||
- revert last commit
|
- revert last commit
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user