!82 Fix CVE-2024-6655: Library injection from CWD

From: @fundawang Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2024-07-23 06:21:10 +00:00 · 2024-07-23 06:21:10 +00:00 · b8b9ba6bbb
commit b8b9ba6bbb
parent 303c23dda7 435a349673
2 changed files with 40 additions and 1 deletions
--- a/backport-gtk+-3.24-CVE-2024-6655.patch
+++ b/backport-gtk+-3.24-CVE-2024-6655.patch
@ -0,0 +1,35 @@
+From 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: [PATCH] Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: #6786
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412aeb5..f93101c272e 100644
+--- a/gtk/gtkmodules.c
+++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
+  if (module_name == NULL)
+    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
+-- 
+GitLab
+
--- a/gtk3.spec
+++ b/gtk3.spec
@ -14,7 +14,7 @@
 #Basic Information
 Name:    gtk3
 Version: 3.24.21
-Release: 5
+Release: 6
 Summary: GTK+ graphical user interface library
 License: LGPLv2+
 URL:     http://www.gtk.org
@ -49,6 +49,7 @@ Obsoletes:     gtk-solidity-engine < 0.4.1-9
 Obsoletes:     oxygen-gtk3 < 2:1.4.1

 Patch0:    gtk3-B.3.24.21-translate-information-to-chinese.patch
+Patch1:    backport-gtk+-3.24-CVE-2024-6655.patch

 %description
 GTK+ is an object-oriented widget toolkit written in the programming language C;
@ -262,6 +263,9 @@ gtk-query-immodules-3.0-64 --update-cache &>/dev/null || :
 %{_mandir}/man1/gtk3-widget-factory.1*

 %changelog
+* Thu Jul 11 2024 Funda Wang <fundawang@yeah.net> - 3.24.21-6
+- Fix CVE-2024-6655: Library injection from CWD
+
 * Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 3.24.21-5
 - revert delete taboo words commit