packages/gtk3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!84 [sync] PR-81: Fix CVE-2024-6655: Library injection from CWD

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2024-07-23 07:42:42 +00:00 committed by Gitee
commit e6d28a6aa5
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-gtk+-3.24-CVE-2024-6655.patch Normal file
View File

@ -0,0 +1,35 @@
From 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Sat, 15 Jun 2024 14:18:01 -0400
Subject: [PATCH] Stop looking for modules in cwd
This is just not a good idea. It is surprising, and can be misused.
Fixes: #6786
---
gtk/gtkmodules.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
index 704e412aeb5..f93101c272e 100644
--- a/gtk/gtkmodules.c
+++ b/gtk/gtkmodules.c
@@ -214,13 +214,8 @@ find_module (const gchar *name)
gchar *module_name;
module_name = _gtk_find_module (name, "modules");
- if (!module_name)
- {
- /* As last resort, try loading without an absolute path (using system
- * library path)
- */
- module_name = g_module_build_path (NULL, name);
- }
+ if (module_name == NULL)
+ return NULL;
module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
--
GitLab

6
gtk3.spec
View File

@ -14,7 +14,7 @@
#Basic Information #Basic Information
Name: gtk3 Name: gtk3
Version: 3.24.30 Version: 3.24.30
Release: 10 Release: 11
Summary: GTK+ graphical user interface library Summary: GTK+ graphical user interface library
License: LGPLv2+ License: LGPLv2+
URL: http://www.gtk.org URL: http://www.gtk.org
@ -22,6 +22,7 @@ Source0: http://download.gnome.org/sources/gtk+/3.24/gtk+-%{version}.tar.xz
Patch6000: remove-missing-reftests-when-use-meson-build-system.patch Patch6000: remove-missing-reftests-when-use-meson-build-system.patch
Patch6001: do-not-install-reftests-when-use-meson-build-system.patch Patch6001: do-not-install-reftests-when-use-meson-build-system.patch
Patch6002: backport-gtk+-3.24-CVE-2024-6655.patch
#Dependency #Dependency
BuildRequires: pkgconfig(atk) >= %{atk_version} pkgconfig(atk-bridge-2.0) BuildRequires: pkgconfig(atk) >= %{atk_version} pkgconfig(atk-bridge-2.0)
@ -266,6 +267,9 @@ gtk-query-immodules-3.0-64 --update-cache &>/dev/null || :
%{_mandir}/man1/gtk3-widget-factory.1* %{_mandir}/man1/gtk3-widget-factory.1*
%changelog %changelog
* Thu Jul 11 2024 Funda Wang <fundawang@yeah.net> - 3.24.30-11
- Fix CVE-2024-6655: Library injection from CWD
* Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 3.24.30-10 * Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 3.24.30-10
- revert delete taboo words commit - revert delete taboo words commit