Bug#1076596: bookworm-pu: package gtk+2.0/2.24.33-2+deb12u1
Simon McVittie
smcv at debian.org
Fri Jul 19 12:29:05 BST 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+2.0 at packages.debian.org, security at debian.org
Control: affects -1 + src:gtk+2.0
[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.
[ Impact ]
If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 2 app is run from /tmp or a similarly attacker-controlled
directory.
[ Tests ]
In the GTK 2 currently in bookworm, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of
attempting to load ./libfoobar.so:
newfstatat(AT_FDCWD, "libfoobar.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libfoobar.so.so", 0x7ffefb821f70, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libfoobar.so.la", 0x7ffefb821f70, 0) = -1 ENOENT (No such file or directory)
In the proposed version, this no longer happens.
(gtk-demo is a sample GTK 2 application, from gtk2.0-examples.)
[ Risks ]
Low risk, straightforward backport of a targeted security fix.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
d/patches: The vulnerability fix.
d/control, d/gbp.conf: Package release administrivia.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gtk+2.0_2.24.33-2+deb12u1.diff
Type: text/x-diff
Size: 5570 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240719/1cfa7c30/attachment.diff>
More information about the pkg-gnome-maintainers
mailing list