!43 fix CVE-2024-6655: Library injection from CWD

From: @fundawang 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

CVE-2024-6655.patch

@@ -0,0 +1,34 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
+
+Origin: gtk 3.24.43
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 50729b6..c0f0c30 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -229,13 +229,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 

gtk2.spec

@@ -1,11 +1,12 @@
 #Global macro or variable
 %global __provides_exclude_from ^%{_libdir}/gtk-2.0
 %define gtk_bin_version 2.10.0
+%global enable_immodules_package 0
 
 #Basic Information
 Name:            gtk2
 Version:         2.24.32
-Release:         6
+Release:         11
 Summary:         GTK+ graphical user interface library
 License:         LGPLv2+
 URL:             http://www.gtk.org
@@ -21,6 +22,8 @@ Patch2:  icon-padding.patch
 Patch8:  tooltip-positioning.patch
 # https://bugzilla.gnome.org/show_bug.cgi?id=611313
 Patch15: window-dragging.patch
+# https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Patch16: CVE-2024-6655.patch
 
 #Dependency
 BuildRequires:   pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0
@@ -50,6 +53,7 @@ is created in C programming language. The GTK+ is also called the GIMP
 Toolkit. Originally, the library was created while developing the GIMP
 image manipulation program.
 
+%if %{enable_immodules_package}
 %package         immodules
 Summary:         Input methods for GTK+
 Requires:        gtk2 = %{version}-%{release}
@@ -59,6 +63,7 @@ Requires:        imsettings
 %description     immodules
 The gtk2-immodules package contains standalone input methods that are shipped
 as part of GTK+.
+%endif
 
 %package         immodule-xim
 Summary:         XIM support for GTK+
@@ -107,7 +112,7 @@ export CFLAGS='-fno-strict-aliasing %optflags'
          --enable-debug          \
 )
 sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
-make
+%make_build
 
 %install
 make install DESTDIR=%{buildroot}        \
@@ -183,7 +188,13 @@ gtk-query-immodules-2.0-64 --update-cache
 %{_datadir}/themes/Default
 %{_datadir}/themes/Emacs
 %{_datadir}/themes/Raleigh
+%if !%{enable_immodules_package}
+%exclude %{_libdir}/gtk-2.0/%{gtk_bin_version}/immodules/*.so
+%exclude %{_sysconfdir}/X11/xinit/xinput.d/im-cedilla.conf
+%exclude %config(noreplace) %{_sysconfdir}/gtk-2.0/im-multipress.conf
+%endif
 
+%if %{enable_immodules_package}
 %files immodules
 %{_libdir}/gtk-2.0/%{gtk_bin_version}/immodules/im-am-et.so
 %{_libdir}/gtk-2.0/%{gtk_bin_version}/immodules/im-cedilla.so
@@ -198,6 +209,7 @@ gtk-query-immodules-2.0-64 --update-cache
 %{_sysconfdir}/X11/xinit/xinput.d/im-cedilla.conf
 %dir %{_sysconfdir}/gtk-2.0
 %config(noreplace) %{_sysconfdir}/gtk-2.0/im-multipress.conf
+%endif
 
 %files immodule-xim
 %{_libdir}/gtk-2.0/%{gtk_bin_version}/immodules/im-xim.so
@@ -222,6 +234,27 @@ gtk-query-immodules-2.0-64 --update-cache
 %{_mandir}/man1/gtk-builder-convert.1.gz
 
 %changelog
+* Mon Jul 15 2024 Funda Wang <fundawang@yeah.net> - 2.24.32-11
+- fix CVE-2024-6655: Library injection from CWD
+
+* Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.32-10
+- revert last commit
+
+* Tue Jan 16 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.32-9
+- delete taboo words
+
+* Wed Mar 10 2021 yanan <yanan@huawei.com> - 2.24.32-8
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:use multi-thread to build
+
+* Fri Feb 28 2020 xiaoweiwei <xiaoweiwei5@huawei.com> - 2.24.32-7
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:disable immodules package
+
 * Mon Feb 24 2020 hexiujun <hexiujun1@huawei.com> - 2.24.32-6
 - Type:enhancement
 - ID:NA
@@ -234,5 +267,5 @@ gtk-query-immodules-2.0-64 --update-cache
 - SUG:NA
 - DESC:delete Patches
 
-* Thu Sep 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.24.32-4
+* Sat Sep 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.24.32-4
 - Package init