Bug#1076609: bullseye-pu: package gtk+3.0/3.24.24-4+deb11u4
Simon McVittie
smcv at debian.org
Fri Jul 19 15:47:31 BST 2024
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: gtk+3.0 at packages.debian.org, security at debian.org, debian-boot at lists.debian.org
Control: affects -1 + src:gtk+3.0
[ Reason ]
CVE-2024-6655. The security team has indicated that they do not intend
to release a DSA for this vulnerability.
[ Impact ]
If not fixed, GTK 3 apps will load modules specified in $GTK_MODULES from
the current working directory, which could be an exploitable vulnerability
if a GTK 3 app is run from /tmp or a similarly attacker-controlled
directory.
[ Tests ]
Briefly tested in a Debian 11 GNOME VM, no obvious regression.
In the GTK 3 currently in bullseye, running e.g.
`GTK_MODULES=gail:atk-bridge:foobar strace -efile gtk3-widget-factory`
shows signs of attempting to load ./libfoobar.so:
stat("libfoobar.so", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.so", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory)
stat("libfoobar.so.la", 0x7ffd2beebe80) = -1 ENOENT (No such file or directory)
(gtk3-widget-factory is a sample GTK 3 application, from gtk-3-examples.)
In the proposed version, this no longer happens.
[ Risks ]
Low risk, straightforward backport of a targeted security fix.
One risk here is that Debian 11.11 is intended to be its last scheduled
point release, so if this somehow causes a regression, there will be no
more point releases in which the regression can be fixed, and it will
be up to the LTS team to deal with the fallout.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes are part of the vulnerability fix.
[ Other info ]
GTK 3 produces udebs, so officially it needs a d-i ack (debian-boot cc'd
for this); but in practice the graphical installer is still using GTK 2
even in testing/unstable, so I believe it would be OK to ship this
change without waiting for the d-i team's approval.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gtk+3.0_3.24.24-4+deb11u4.diff
Type: text/x-diff
Size: 3666 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240719/9ecedf0e/attachment.diff>
More information about the pkg-gnome-maintainers
mailing list