packages/glib2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!180 fix CVE-2024-34397

Browse Source 
From: @han_hui_hui 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-06-18 10:23:51 +00:00 committed by Gitee
commit 33abcc008b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 3397 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3301
backport-CVE-2024-34397.patch Normal file
View File

File diff suppressed because it is too large Load Diff

90
backport-gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a-well-known-name.patch Normal file
View File

@ -0,0 +1,90 @@
From d7c91ea7a5574e8d068b50c85350ee47c1ec5117 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 8 May 2024 10:09:40 +0100
Subject: [PATCH 1/2] gdbusconnection: Allow name owners to have the syntax of
a well-known name
In a D-Bus-Specification-compliant message bus, the owner of a well-known
name is a unique name. However, ibus has its own small implementation
of a message bus (src/ibusbus.c) in which org.freedesktop.IBus is
special-cased to also have itself as its owner (like org.freedesktop.DBus
on a standard message bus), and connects to that bus with the
G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION flag. The ability to do
this regressed when CVE-2024-34397 was fixed.
Relax the checks to allow the owner of a well-known name to be any valid
D-Bus name, even if it is not syntactically a unique name.
Fixes: 683b14b9 "gdbus: Track name owners for signal subscriptions"
Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/3353
Bug-Debian: https://bugs.debian.org/1070730
Bug-Debian: https://bugs.debian.org/1070736
Bug-Debian: https://bugs.debian.org/1070743
Bug-Debian: https://bugs.debian.org/1070745
Signed-off-by: Simon McVittie <smcv@debian.org>
---
gio/gdbusconnection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index ee994cecc5..fcbdffa23f 100644
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -2380,7 +2380,7 @@ name_watcher_deliver_name_owner_changed_unlocked (SignalData *name_watcher,
/* Our caller already checked this */
g_assert (g_strcmp0 (name_watcher->arg0, name) == 0);
- if (G_LIKELY (new_owner[0] == '\0' || g_dbus_is_unique_name (new_owner)))
+ if (G_LIKELY (new_owner[0] == '\0' || g_dbus_is_name (new_owner)))
name_watcher_set_name_owner_unlocked (name_watcher, new_owner);
else
g_warning ("Received NameOwnerChanged signal with invalid owner \"%s\" for \"%s\"",
@@ -2432,7 +2432,7 @@ name_watcher_deliver_get_name_owner_reply_unlocked (SignalData *name_watcher,
g_variant_get (body, "(&s)", &new_owner);
- if (G_LIKELY (g_dbus_is_unique_name (new_owner)))
+ if (G_LIKELY (g_dbus_is_name (new_owner)))
name_watcher_set_name_owner_unlocked (name_watcher, new_owner);
else
g_warning ("Received GetNameOwner reply with invalid owner \"%s\" for \"%s\"",
--
GitLab
From dd3b2f8a5fb7397dc68d89ee48d60993eda36c43 Mon Sep 17 00:00:00 2001
From: Philip Withnall <philip@tecnocode.co.uk>
Date: Wed, 8 May 2024 14:31:12 +0000
Subject: [PATCH 2/2] Apply 2 suggestion(s) to 1 file(s)
---
gio/gdbusconnection.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index fcbdffa23f..72e58fd77d 100644
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -2380,6 +2380,9 @@ name_watcher_deliver_name_owner_changed_unlocked (SignalData *name_watcher,
/* Our caller already checked this */
g_assert (g_strcmp0 (name_watcher->arg0, name) == 0);
+ /* FIXME: This should be validating that `new_owner` is a unique name,
+ * but IBus implementation of a message bus is not compliant with the spec.
+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/3353 */
if (G_LIKELY (new_owner[0] == '\0' || g_dbus_is_name (new_owner)))
name_watcher_set_name_owner_unlocked (name_watcher, new_owner);
else
@@ -2432,6 +2435,9 @@ name_watcher_deliver_get_name_owner_reply_unlocked (SignalData *name_watcher,
g_variant_get (body, "(&s)", &new_owner);
+ /* FIXME: This should be validating that `new_owner` is a unique name,
+ * but IBus implementation of a message bus is not compliant with the spec.
+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/3353 */
if (G_LIKELY (g_dbus_is_name (new_owner)))
name_watcher_set_name_owner_unlocked (name_watcher, new_owner);
else
--
GitLab

7
glib2.spec
View File

@ -1,6 +1,6 @@
Name: glib2
Version: 2.72.2
Release: 14
Release: 15
Summary: The core library that forms the basis for projects such as GTK+ and GNOME
License: LGPLv2+
URL: http://www.gtk.org
@ -76,6 +76,8 @@ Patch6065: backport-gregex-if-JIT-stack-limit-is-reached-fall-back-to-inter
Patch6066: backport-Make-sure-the-GTask-is-freed-on-a-graceful-disconnect.patch
Patch6067: backport-gmessages-fix-dropping-irrelevant-log-domains.patch
Patch6068: backport-gutils-Fix-an-unlikely-minor-leak-in-g_build_user_data_dir.patch
patch6069: backport-CVE-2024-34397.patch
patch6070: backport-gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a-well-known-name.patch
BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter
BUildRequires: glibc-devel libattr-devel libselinux-devel meson
@ -262,6 +264,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%endif
%changelog
* Tue Jun 18 2024 hanhuihui <hanhuihui5@huawei.com> - 2.72.2-15
- fix CVE-2024-34397
* Mon Feb 19 2024 hanhuihui <hanhuihui5@huawei.com> - 2.72.2-14
- disable sysprof