Hello Curaga, or anyone else affected, Accepted gtk+2.0 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gtk+2.0/2.24.31-1ubuntu1.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gtk+2.0 in Ubuntu. https://bugs.launchpad.net/bugs/1641912 Title: Please backport two recent-manager patches Status in GTK+: Fix Released Status in gtk+2.0 package in Ubuntu: Fix Released Status in gtk+2.0 source package in Xenial: In Progress Status in gtk+2.0 source package in Yakkety: Won't Fix Status in gtk+2.0 source package in Zesty: Fix Committed Status in gtk+2.0 source package in Artful: Fix Released Bug description: [Impact] Without these fixes, a specially crafted GTK program can cause a Denial of Service attack on any machine with open GTK programs. [Test Case] In the GitHub issue against mate-panel, an individual with the GitHub username clbr wrote a Proof of Concept that can be used to demonstrate that this bug is affecting the system, and this is found here: http://pastebin.ca/3733209 The commenter reports that the Proof of Concept can be built with the following command: gcc -o killer killer.c `pkg-config --cflags --libs gtk+-2.0` [Regression Potential] This fix has been uploaded to Artful and has passed to artful-release, causing no installability problems or autopkgtest regressions. As for the fix itself, there was already a regression spotted, but the patch fixing that regression has been spotted and also fixed in this upload. Since it is putting a limit on the list's size, although this is highly unlikely at this point in time, epgfm on the GitHub issue points out the following: "... However, the incoming fix set a large number of items (1000) as a hard limit. ... Does an application really needs to store 1K recent files? I think even the badassest screen you can possibly buy now wouldn't have enough vertical space to display them all." Should there be the unlikely event that a program needs to use that many recent files, the program will have some issues, but that is a bug in the program that needs to use that many recent files, not GTK itself. tl;dr low regression potential, where there will be regressions is excessively large GTK programs, but that is a bug in the program itself for taking up that much space, not GTK. [Original Description] https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here: https://github.com/mate-desktop/mate-panel/issues/479 For the GTK3 version of this bug, see bug 1641914 Note that MATE is GTK2 only for Ubuntu 16.04 LTS. To manage notifications about this bug go to: https://bugs.launchpad.net/gtk/+bug/1641912/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
