packages/gtk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!46 [sync] PR-41: fix CVE-2024-6655: Library injection from CWD

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2024-07-23 06:54:21 +00:00 committed by Gitee
commit 69cde7b100
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 42 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
CVE-2024-6655.patch Normal file
View File

@ -0,0 +1,34 @@
From: Matthias Clasen <mclasen@redhat.com>
Date: Sat, 15 Jun 2024 14:18:01 -0400
Subject: Stop looking for modules in cwd
This is just not a good idea. It is surprising, and can be misused.
Fixes: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
Origin: gtk 3.24.43
---
gtk/gtkmodules.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
index 50729b6..c0f0c30 100644
--- a/gtk/gtkmodules.c
+++ b/gtk/gtkmodules.c
@@ -229,13 +229,8 @@ find_module (const gchar *name)
gchar *module_name;
module_name = _gtk_find_module (name, "modules");
- if (!module_name)
- {
- /* As last resort, try loading without an absolute path (using system
- * library path)
- */
- module_name = g_module_build_path (NULL, name);
- }
+ if (module_name == NULL)
+ return NULL;
module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);

11
gtk2.spec
View File

@ -6,9 +6,9 @@
#Basic Information #Basic Information
Name: gtk2 Name: gtk2
Version: 2.24.33 Version: 2.24.33
Release: 9 Release: 10
Summary: GTK+ graphical user interface library Summary: GTK+ graphical user interface library
License: LGPLv2+ License: LGPL-2.0-or-later
URL: http://www.gtk.org URL: http://www.gtk.org
Source: http://download.gnome.org/sources/gtk+/2.24/gtk+-%{version}.tar.xz Source: http://download.gnome.org/sources/gtk+/2.24/gtk+-%{version}.tar.xz
Source2: im-cedilla.conf Source2: im-cedilla.conf
@ -21,6 +21,8 @@ Patch1: icon-padding.patch
Patch2: tooltip-positioning.patch Patch2: tooltip-positioning.patch
# https://bugzilla.gnome.org/show_bug.cgi?id=611313 # https://bugzilla.gnome.org/show_bug.cgi?id=611313
Patch3: window-dragging.patch Patch3: window-dragging.patch
# https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
Patch4: CVE-2024-6655.patch
#Dependency #Dependency
BuildRequires: pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0 BuildRequires: pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0
@ -234,9 +236,12 @@ gtk-query-immodules-2.0-64 --update-cache
%doc tmpdocs/tutorial %doc tmpdocs/tutorial
%doc tmpdocs/faq %doc tmpdocs/faq
%{_mandir}/man1/gtk-query-immodules-2.0* %{_mandir}/man1/gtk-query-immodules-2.0*
%{_mandir}/man1/gtk-builder-convert.1.gz %{_mandir}/man1/gtk-builder-convert.1*
%changelog %changelog
* Mon Jul 15 2024 Funda Wang <fundawang@yeah.net> - 2.24.33-10
- fix CVE-2024-6655: Library injection from CWD
* Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.33-9 * Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.33-9
- revert last commit - revert last commit