Bug#843176: libgtk-3-0: "Invalid column number ... added to iter" in GTK+ Inspector
Yuriy M. Kaminskiy
yumkam+debian at gmail.com
Fri Nov 4 15:28:23 UTC 2016
Package: libgtk-3-0
Version: 3.14.5-1+deb8u1
Severity: normal
Tags: upstream jessie patch fixed-upstream
Dear Maintainer,
While running wireshark from jessie-backports with GTK+ Inspector
enabled (`GTK_DEBUG=interactive wireshark-gtk`) I got large number of
(wireshark-gtk:3784): Gtk-WARNING **:
/build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtktreestore.c:1042: Invalid
column number -150702538 added to iter (remember to end your list of
columns with a -1)
GDB backtrace from g_log attached.
This seems comes from type mismatch in
gtk/inspector/recource-list.{c,ui}: resource-list.ui declares last
column as guint64,
but resource-list.c uses gsize (32-bit on 32-bit architectures).
This results in above warning, out-of-buffer stack read inside
gtk_tree_model_set (likely harmless except for leaking 4 bytes from
stack on little-endian, but up to crash/DoS on big-endian), and
out-of-buffer stack write in gtk_tree_model_get.
I doubt it is practically exploitable, but you can never be sure.
See upstream patch "inspector: be careful about gsize vs guint64"
(extracted from
https://mail.gnome.org/archives/commits-list/2015-January/msg02295.html
and attached below; it seems it was already included in stretch/sid version)
This patch seems also was included in gtk+-3.14.7 (btw, WTF upstream
*stable* patches are not *automatically* shipped with [at least] point
releases??? many crash bugs are potential security issues (even if not
explicitly marked as such by upstream devs), and it is extremely
annoying to debug issue only to discover it was already fixed in
upstream *stable* branch years ago :-\).
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100,
'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libgtk-3-0 depends on:
ii libatk-bridge2.0-0 2.14.0-2
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u6
ii libcairo-gobject2 1.14.0-2.1+deb8u1
ii libcairo2 1.14.0-2.1+deb8u1
ii libcolord2 1.2.1-1+b2
ii libcups2 1.7.5-11+deb8u1
ii libfontconfig1 2.11.0-6.3+deb8u1
ii libfreetype6 2.5.2-3+deb8u1
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5
ii libglib2.0-0 2.42.1-1+b1
ii libgtk-3-common 3.14.5-1+deb8u1
ii libjson-glib-1.0-0 1.0.2-1
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii librest-0.7-0 0.7.92-3
ii libsoup2.4-1 2.48.0-1
ii libwayland-client0 1.6.0-2
ii libwayland-cursor0 1.6.0-2
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxcursor1 1:1.1.14-1+b1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxi6 2:1.7.4-1+b2
ii libxinerama1 2:1.1.3-1+b1
ii libxkbcommon0 0.4.3-2
ii libxml2 2.9.1+dfsg1-5+deb8u3
ii libxrandr2 2:1.4.2-1+b1
ii multiarch-support 2.19-18+deb8u6
ii shared-mime-info 1.3-1
Versions of packages libgtk-3-0 recommends:
ii hicolor-icon-theme 0.13-1
ii libgtk-3-bin 3.14.5-1+deb8u1
Versions of packages libgtk-3-0 suggests:
ii gvfs 1.22.2-1
ii librsvg2-common 2.40.5-1+deb8u2
-- no debconf information
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: backtrace.txt
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20161104/c34f2680/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-resource-list-uint64-mismatch.patch
Type: text/x-diff
Size: 2075 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20161104/c34f2680/attachment-0001.patch>
More information about the pkg-gnome-maintainers
mailing list