Bug#1076598: bullseye-pu: package gtk+2.0/2.24.33-2+deb11u1
Simon McVittie
smcv at debian.org
Fri Jul 19 13:00:57 BST 2024
Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+2.0 at packages.debian.org, security at debian.org, debian-boot at lists.debian.org
Control: affects -1 + src:gtk+2.0
[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.
[ Impact ]
If not fixed, GTK 2 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 2 app is run from /tmp or a similarly attacker-controlled
directory.
[ Tests ]
Briefly tested in a Debian 11 GNOME VM, no obvious regression.
In the GTK 2 currently in bullseye, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk-demo` shows signs of
attempting to load ./libfoobar.so:
stat("libfoobar.so", ...) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.so", ...) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.la", ...) = -1 ENOENT (No such file or directory)
In the proposed version, this no longer happens.
(gtk-demo is a sample GTK 2 application, from gtk2.0-examples.)
I have not yet attempted to build a debian-installer image with the
proposed GTK.
[ Risks ]
Low risk, straightforward backport of a targeted security fix.
One risk here is that Debian 11.11 is intended to be its last scheduled
point release, so if this somehow causes a regression, there will be no
more point releases in which the regression can be fixed, and it will
be up to the LTS team to deal with the fallout.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
d/patches: The vulnerability fix.
d/control, d/gbp.conf: Package release administrivia.
[ Other info ]
GTK 2 is used in the graphical installer, so this will require a d-i ack.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gtk+2.0_2.24.33-2+deb11u1.diff
Type: text/x-diff
Size: 5570 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240719/6c859c58/attachment-0001.diff>
More information about the pkg-gnome-maintainers
mailing list