Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi, I’d like to upload an update (prepared by Raphaël) for gtk+3.0, which is necessary in order to fix librsvg’s CVE-2013-1881. Thanks for considering. -- Josselin Mouette
Index: debian/changelog =================================================================== --- debian/changelog (révision 40301) +++ debian/changelog (copie de travail) @@ -1,3 +1,11 @@ +gtk+3.0 (3.4.2-7) stable; urgency=low + + [ Raphaël Geissert ] + * Workaround new behaviour of librsvg (which implemented an origin + policy) by loading the file icon via a data: URI. + + -- Josselin Mouette <j...@debian.org> Wed, 04 Dec 2013 14:06:28 +0100 + gtk+3.0 (3.4.2-6) unstable; urgency=low * Team upload. Index: debian/patches/001_use_data_uris_for_symbolic_icons.patch =================================================================== --- debian/patches/001_use_data_uris_for_symbolic_icons.patch (révision 0) +++ debian/patches/001_use_data_uris_for_symbolic_icons.patch (copie de travail) @@ -0,0 +1,37 @@ +Index: gtk+3.0-3.4.2/gtk/gtkicontheme.c +=================================================================== +--- gtk+3.0-3.4.2.orig/gtk/gtkicontheme.c 2012-05-02 14:46:50.000000000 +0200 ++++ gtk+3.0-3.4.2/gtk/gtkicontheme.c 2013-11-27 14:16:27.393901153 +0100 +@@ -3170,6 +3170,8 @@ _gtk_icon_info_load_symbolic_internal (G + GdkPixbuf *pixbuf; + gchar *data; + gchar *success, *warning, *err; ++ gchar *file_data, *escaped_file_data; ++ gsize file_len; + + /* css_fg can't possibly have failed, otherwise + * that would mean we have a broken style */ +@@ -3193,6 +3195,11 @@ _gtk_icon_info_load_symbolic_internal (G + err = gdk_color_to_css (&error_default_color); + } + ++ if (!g_file_get_contents (icon_info->filename, &file_data, &file_len, NULL)) ++ return NULL; ++ ++ escaped_file_data = g_markup_escape_text (file_data, file_len); ++ g_free (file_data); + + data = g_strconcat ("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n" + "<svg version=\"1.1\"\n" +@@ -3214,9 +3221,10 @@ _gtk_icon_info_load_symbolic_internal (G + " fill: ", css_success ? css_success : success," !important;\n" + " }\n" + " </style>\n" +- " <xi:include href=\"", icon_info->filename, "\"/>\n" ++ " <xi:include href=\"data:text/xml,", escaped_file_data, "\"/>\n" + "</svg>", + NULL); ++ g_free (escaped_file_data); + g_free (warning); + g_free (err); + g_free (success); Index: debian/patches/series =================================================================== --- debian/patches/series (révision 40301) +++ debian/patches/series (copie de travail) @@ -1,3 +1,4 @@ +001_use_data_uris_for_symbolic_icons.patch 015_default-fallback-icon-theme.patch 016_no_offscreen_widgets_grabbing.patch 017_no_offscreen_device_grabbing.patch