* [OE-core][kirkstone][PATCH] gtk+3 : backport fix for CVE-2024-6655
@ 2024-07-31 4:39 Ashish Sharma
0 siblings, 0 replies; only message in thread
From: Ashish Sharma @ 2024-07-31 4:39 UTC (permalink / raw)
To: openembedded-core; +Cc: Ashish Sharma
stop looking for modules in cwd in gtk/gtkmodules.c.
Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/gtk+3.0/3.24.33-1ubuntu2.2]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
---
.../gtk+/gtk+3/CVE-2024-6655.patch | 39 +++++++++++++++++++
meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch
diff --git a/meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch b/meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch
new file mode 100644
index 0000000000..2460b97b6b
--- /dev/null
+++ b/meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch
@@ -0,0 +1,39 @@
+From 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: [PATCH] Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: #6786
+
+CVE: CVE-2024-6655
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/gtk+3.0/3.24.33-1ubuntu2.2]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412aeb5..f93101c272e 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+ gchar *module_name;
+
+ module_name = _gtk_find_module (name, "modules");
+- if (!module_name)
+- {
+- /* As last resort, try loading without an absolute path (using system
+- * library path)
+- */
+- module_name = g_module_build_path (NULL, name);
+- }
++ if (module_name == NULL)
++ return NULL;
+
+ module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+
+--
+GitLab
+
diff --git a/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb b/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb
index f862e143d4..3e974c91e5 100644
--- a/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb
+++ b/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb
@@ -6,6 +6,7 @@ SRC_URI = "http://ftp.gnome.org/pub/gnome/sources/gtk+/${MAJ_VER}/gtk+-${PV}.tar
file://0002-Do-not-try-to-initialize-GL-without-libGL.patch \
file://0003-Add-disable-opengl-configure-option.patch \
file://link_fribidi.patch \
+ file://CVE-2024-6655.patch \
"
SRC_URI[sha256sum] = "dbc69f90ddc821b8d1441f00374dc1da4323a2eafa9078e61edbe5eeefa852ec"
--
2.35.7
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2024-07-31 4:40 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-31 4:39 [OE-core][kirkstone][PATCH] gtk+3 : backport fix for CVE-2024-6655 Ashish Sharma
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox