!80 Fix CVE-2024-6655: Library injection from CWD

From: @fundawang 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

backport-gtk+-3.24-CVE-2024-6655.patch

@@ -0,0 +1,35 @@
+From 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: [PATCH] Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: #6786
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412aeb5..f93101c272e 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
+-- 
+GitLab
+

gtk3.spec

@@ -13,14 +13,15 @@
 
 #Basic Information
 Name:          gtk3
-Version:       3.24.36
-Release:       1
+Version:       3.24.41
+Release:       2
 Summary:       GTK+ graphical user interface library
 License:       LGPLv2+
 URL:           https://www.gtk.org
 Source0:       https://download.gnome.org/sources/gtk+/3.24/gtk+-%{version}.tar.xz
 
 Patch0:        0001-Let-the-notification-icon-use-the-size-specified-by-.patch
+Patch1:        backport-gtk+-3.24-CVE-2024-6655.patch
 
 #Dependency
 BuildRequires: pkgconfig(atk) >= %{atk_version} pkgconfig(atk-bridge-2.0)
@@ -31,7 +32,7 @@ BuildRequires: pkgconfig(xi) pkgconfig(xrandr) pkgconfig(xinerama) pkgconfig(xco
 BuildRequires: pkgconfig(xkbcommon) pkgconfig(epoxy) >= %{epoxy_version}
 BuildRequires: wayland-devel >= %{wayland_version} wayland-protocols-devel >= %{wayland_protocols_version}
 BuildRequires: pkgconfig(colord)
-BuildRequires: gettext gtk-doc libtool desktop-file-utils libXcursor-devel meson 
+BuildRequires: gettext gtk-doc libtool desktop-file-utils libXcursor-devel meson
 %if 0%{?openEuler}
 BuildRequires: cups-devel
 %endif
@@ -264,6 +265,21 @@ gtk-query-immodules-3.0-64 --update-cache &>/dev/null || :
 %{_mandir}/man1/gtk3-widget-factory.1*
 
 %changelog
+* Thu Jul 11 2024 Funda Wang <fundawang@yeah.net> - 3.24.41-2
+- Fix CVE-2024-6655: Library injection from CWD
+
+* Thu Jan 25 2024 zhangpan <zhangpan103@h-partners.com> - 3.24.41-1
+- update to 3.24.41
+
+* Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 3.24.38-2
+- revert delete taboo words commit
+
+* Sat Jul 22 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 3.24.38-1
+- update to 3.24.38
+
+* Thu Jun 15 2023 zhangpan <zhangpan103@h-partners.com> - 3.24.36-2
+- delete taboo words
+
 * Mon Jan 02 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 3.24.36-1
 - update to 3.24.36