Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1
Control: tag -1 pending d-i On 2012-10-06 02:44, Josselin Mouette wrote: I have just uploaded version 2.33.12+really2.32.4-2 because of a security vulnerability: glib2.0 (2.33.12+really2.32.4-2) unstable; urgency=medium * Revert link adding for gdbus-object-manager-example. While it is useful to have in /usr/share/doc as an example, it must not be shipped with the system documentation. * 20_glib-compile-resources_leak.patch: new patch. Fix a leak introduced in version 2.32.4. Thanks Niels Thykier! * SECURITY: add 11_CVE-2012-3524_setuid.patch from upstream. Prevents using DBus in a setuid binary. Fixes CVE-2012-3524. Attached is the diff between -1 and -2. Cheers, Unblock added, unblock-udeb pending d-i approval. Thanks, ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1
I have just uploaded version 2.33.12+really2.32.4-2 because of a security vulnerability: glib2.0 (2.33.12+really2.32.4-2) unstable; urgency=medium * Revert link adding for gdbus-object-manager-example. While it is useful to have in /usr/share/doc as an example, it must not be shipped with the system documentation. * 20_glib-compile-resources_leak.patch: new patch. Fix a leak introduced in version 2.32.4. Thanks Niels Thykier! * SECURITY: add 11_CVE-2012-3524_setuid.patch from upstream. Prevents using DBus in a setuid binary. Fixes CVE-2012-3524. Attached is the diff between -1 and -2. Cheers, -- .''`. Josselin Mouette : :' : `. `' `- Index: debian/control === Index: debian/patches/11_CVE-2012-3524_setuid.patch === --- debian/patches/11_CVE-2012-3524_setuid.patch (.../2.33.12+really2.32.4-1) (révision 0) +++ debian/patches/11_CVE-2012-3524_setuid.patch (.../2.33.12+really2.32.4-2) (révision 35895) @@ -0,0 +1,247 @@ +From 4c2928a54482913cf236bff0e66650a8f47e17ea Mon Sep 17 00:00:00 2001 +From: Colin Walters walt...@verbum.org +Date: Wed, 22 Aug 2012 18:26:11 + +Subject: CVE-2012-3524: Hardening for being run in a setuid environment + +Some programs attempt to use libglib (or even libgio) when setuid. +For a long time, GTK+ simply aborted if launched in this +configuration, but we never had a real policy for GLib. + +I'm not sure whether we should advertise such support. However, given +that there are real-world programs that do this currently, we can make +them safer with not too much effort. + +Better to fix a problem caused by an interaction between two +components in *both* places if possible. + +This patch adds a private function g_check_setuid() which is used to +first ensure we don't run an external dbus-launch binary if +DBUS_SESSION_BUS_ADDRESS isn't set. + +Second, we also ensure the local VFS is used in this case. The +gdaemonvfs extension point will end up talking to the session bus +which is typically undesirable in a setuid context. + +Implementing g_check_setuid() is interesting - whether or not we're +running in a privilege-escalated path is operating system specific. +Note that GTK+'s code to check euid versus uid worked historically on +Unix, more modern systems have filesystem capabilities and SELinux +domain transitions, neither of which are captured by the uid +comparison. + +On Linux/glibc, the way this works is that the kernel sets an +AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on +startup. If found, then glibc sets a public-but-undocumented +__libc_enable_secure variable which we can use. Unfortunately, while +it *previously* worked to check this variable, a combination of newer +binutils and RPM break it: +http://www.openwall.com/lists/owl-dev/2012/08/14/1 + +So for now on Linux/glibc, we fall back to the historical Unix version +until we get glibc fixed. + +On some BSD variants, there is a issetugid() function. On other Unix +variants, we fall back to what GTK+ has been doing. + +Reported-By: Sebastian Krahmer krah...@suse.de +Signed-off-by: Colin Walters walt...@verbum.org +--- +diff --git a/configure.ac b/configure.ac +index 584df1d..67ea1a9 100644 +--- a/configure.ac b/configure.ac +@@ -583,9 +583,20 @@ AC_TRY_COMPILE([#include dirent.h], [DIR *dir;], + # Checks for library functions. + AC_FUNC_VPRINTF + AC_FUNC_ALLOCA +-AC_CHECK_FUNCS(mmap posix_memalign memalign valloc fsync pipe2) ++AC_CHECK_FUNCS(mmap posix_memalign memalign valloc fsync pipe2 issetugid) + AC_CHECK_FUNCS(atexit on_exit timegm gmtime_r) + ++AC_CACHE_CHECK([for __libc_enable_secure], glib_cv_have_libc_enable_secure, ++ [AC_TRY_LINK([#include unistd.h ++extern int __libc_enable_secure;], ++[return __libc_enable_secure;], ++ glib_cv_have_libc_enable_secure=yes, ++ glib_cv_have_libc_enable_secure=no)]) ++AS_IF([test x$glib_cv_have_libc_enable_secure = xyes], [ ++ AC_DEFINE(HAVE_LIBC_ENABLE_SECURE, 1, ++ [Define if you have the __libc_enable_secure variable (GNU libc, eglibc)]) ++]) ++ + AC_CHECK_SIZEOF(char) + AC_CHECK_SIZEOF(short) + AC_CHECK_SIZEOF(long) +@@ -984,7 +995,7 @@ AC_MSG_RESULT(unsigned $glib_size_type) + + # Check for some functions + AC_CHECK_FUNCS(lstat strerror strsignal memmove vsnprintf stpcpy strcasecmp strncasecmp poll getcwd vasprintf setenv unsetenv getc_unlocked readlink symlink fdwalk memmem) +-AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link utimes getgrgid getpwuid) ++AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link utimes getgrgid getpwuid getresuid) + AC_CHECK_FUNCS(getmntent_r setmntent endmntent hasmntopt getfsstat getvfsstat) + # Check for high-resolution sleep functions + AC_CHECK_FUNCS(splice) +diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c +index 4aa13b9..96b6343 100644 +--- a/gio/gdbusaddress.c b/gio/gdbusaddress.c +@@ -37,6 +37,7 @@
Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1
Control: tags -1 moreinfo On 2012-09-25 11:03, Josselin Mouette wrote: This bug didn’t make it through the list at first because the diff is too large. Le dimanche 23 septembre 2012 à 13:16 +0200, Josselin Mouette a écrit : Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I just uploaded a new glib2.0 package to unstable. The differences to testing are: [...] The full diff is attached, stripped of the autogenerated parts. It is quite large, but most of it consists in documentation improvements and function decorators. There are also quite a number of bugs fixed - the release is bugfix only so large changes are not included. In order to avoid having the ugly version number in a release, I propose to let this version age for 10 days in unstable, then re-upload it to testing with the 2.32.4-1 version number. Thanks for considering, Hi, The diff looks mostly reasonable, though I have one case where it seems to me that the new version introduces a leak (see attached glib.leak). Other than that, I think it may have to wait until the next d-i beta is out. Personally I do not mind the extra couple of days in unstable as the diff is rather large and I could quite possibly have missed something. Also, on the part of (re-)uploading it as 2.32.{4,5}-1 via t-p-u. I am not sure it is an acceptable use of t-p-u, so my default would be no on this. ~Niels It seems to me that stderr_child may be leaked when goto cleanup paths are taken? diff -Nru glib2.0-2.32.3/gio/glib-compile-resources.c glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c --- glib2.0-2.32.3/gio/glib-compile-resources.c 2012-03-29 22:43:04.0 + +++ glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c 2012-07-14 20:33:11.0 + @@ -272,6 +272,7 @@ if (state-preproc_options) { gchar **options; + gchar *stderr_child = NULL; guint i; gboolean xml_stripblanks = FALSE; gboolean to_pixdata = FALSE; @@ -324,9 +325,8 @@ g_assert (argc = G_N_ELEMENTS (argv)); if (!g_spawn_sync (NULL /* cwd */, argv, NULL /* envv */, - G_SPAWN_STDOUT_TO_DEV_NULL | - G_SPAWN_STDERR_TO_DEV_NULL, - NULL, NULL, NULL, NULL, status, my_error)) + G_SPAWN_STDOUT_TO_DEV_NULL, + NULL, NULL, NULL, stderr_child, status, my_error)) { g_propagate_error (error, my_error); goto cleanup; @@ -334,12 +334,13 @@ #ifdef HAVE_SYS_WAIT_H if (!WIFEXITED (status) || WEXITSTATUS (status) != 0) { - g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED, - _(Error processing input file with xmllint)); + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, + _(Error processing input file with xmllint:\n%s), stderr_child); goto cleanup; } #endif + g_free (stderr_child); g_free (real_file); real_file = g_strdup (tmp_file); } @@ -347,6 +348,7 @@ if (to_pixdata) { gchar *argv[4]; + gchar *stderr_child = NULL; int status, fd, argc; if (gdk_pixbuf_pixdata == NULL) @@ -379,9 +381,8 @@ g_assert (argc = G_N_ELEMENTS (argv)); if (!g_spawn_sync (NULL /* cwd */, argv, NULL /* envv */, - G_SPAWN_STDOUT_TO_DEV_NULL | - G_SPAWN_STDERR_TO_DEV_NULL, - NULL, NULL, NULL, NULL, status, my_error)) + G_SPAWN_STDOUT_TO_DEV_NULL, + NULL, NULL, NULL, stderr_child, status, my_error)) { g_propagate_error (error, my_error); goto cleanup; @@ -389,12 +390,13 @@ #ifdef HAVE_SYS_WAIT_H if (!WIFEXITED (status) || WEXITSTATUS (status) != 0) { - g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED, - _(Error processing input file with to-pixdata)); + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, + _(Error processing input file with to-pixdata:\n%s), stderr_child); goto cleanup; } #endif + g_free (stderr_child); g_free (real_file); real_file = g_strdup (tmp_file2); } end of chunks for this file
Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1
Le vendredi 28 septembre 2012 à 12:56 +0200, Niels Thykier a écrit : The diff looks mostly reasonable, though I have one case where it seems to me that the new version introduces a leak (see attached glib.leak). Thanks for the thorough review. I have committed a fix for the leak in our SVN and reported it upstream. Note that it has a small impact since it only affects glib-compile-resources, not the library itself. Changes currently sitting in our svn are attached (since they also target wheezy). Other than that, I think it may have to wait until the next d-i beta is out. Personally I do not mind the extra couple of days in unstable as the diff is rather large and I could quite possibly have missed something. Sure. Also, on the part of (re-)uploading it as 2.32.{4,5}-1 via t-p-u. I am not sure it is an acceptable use of t-p-u, so my default would be no on this. As you wish. It is mostly a cosmetic issue. Cheers, -- .''`. Josselin Mouette : :' : `. `' `- Index: debian/libglib2.0-doc.links === --- debian/libglib2.0-doc.links (révision 35787) +++ debian/libglib2.0-doc.links (copie de travail) @@ -2,4 +2,3 @@ usr/share/doc/libglib2.0-doc/gio usr/share/gtk-doc/html/gio usr/share/doc/libglib2.0-doc/glib usr/share/gtk-doc/html/glib usr/share/doc/libglib2.0-doc/gobject usr/share/gtk-doc/html/gobject -usr/share/doc/libglib2.0-doc/gdbus-object-manager-example usr/share/gtk-doc/html/gdbus-object-manager-example Index: debian/patches/20_glib-compile-resources_leak.patch === --- debian/patches/20_glib-compile-resources_leak.patch (révision 0) +++ debian/patches/20_glib-compile-resources_leak.patch (révision 35834) @@ -0,0 +1,36 @@ +Index: glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c +=== +--- glib2.0-2.33.12+really2.32.4.orig/gio/glib-compile-resources.c 2012-07-14 22:33:11.0 +0200 glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c 2012-09-28 21:32:32.168548276 +0200 +@@ -272,7 +272,6 @@ end_element (GMarkupParseContext *conte + if (state-preproc_options) + { + gchar **options; +- gchar *stderr_child = NULL; + guint i; + gboolean xml_stripblanks = FALSE; + gboolean to_pixdata = FALSE; +@@ -298,6 +297,7 @@ end_element (GMarkupParseContext *conte + if (xml_stripblanks xmllint != NULL) + { + gchar *argv[8]; ++ gchar *stderr_child = NULL; + int status, fd, argc; + + tmp_file = g_strdup (resource-); +@@ -336,6 +336,7 @@ end_element (GMarkupParseContext *conte + { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, +_(Error processing input file with xmllint:\n%s), stderr_child); ++ g_free (stderr_child); + goto cleanup; + } + #endif +@@ -392,6 +393,7 @@ end_element (GMarkupParseContext *conte + { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, + _(Error processing input file with to-pixdata:\n%s), stderr_child); ++ g_free (stderr_child); + goto cleanup; + } + #endif Index: debian/patches/series === --- debian/patches/series (révision 35787) +++ debian/patches/series (copie de travail) @@ -4,6 +4,7 @@ 04_homedir_env.patch 05_run-gio-tests-with-a-dbus-session.patch 10_gdbus_race.patch +20_glib-compile-resources_leak.patch 61_glib-compile-binaries-path.patch 90_gio-modules-multiarch-compat.patch 91_revert_schema_path_warning.patch Index: debian/changelog === --- debian/changelog (révision 35787) +++ debian/changelog (copie de travail) @@ -1,3 +1,13 @@ +glib2.0 (2.33.12+really2.32.4-2) UNRELEASED; urgency=low + + * Revert link adding for gdbus-object-manager-example. While it is +useful to have in /usr/share/doc as an example, it must not be +shipped with the system documentation. + * 20_glib-compile-resources_leak.patch: new patch. Fix a leak +introduced in version 2.32.4. Thanks Niels Thykier! + + -- Josselin Mouette j...@debian.org Sun, 23 Sep 2012 13:26:33 +0200 + glib2.0 (2.33.12+really2.32.4-1) unstable; urgency=low * New upstream bugfix release.
Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1
This bug didn’t make it through the list at first because the diff is too large. Le dimanche 23 septembre 2012 à 13:16 +0200, Josselin Mouette a écrit : Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I just uploaded a new glib2.0 package to unstable. The differences to testing are: glib2.0 (2.33.12+really2.32.4-1) unstable; urgency=low * New upstream bugfix release. * 10_gdbus_race.patch: stolen from upstream git. Fix a race condition that would make gnome-shell crash on startup under some conditions. * libglib2.0-bin.install: bash completions have moved to /usr/share. * libglib2.0-bin.maintscript: remove old conffiles. * Add appropriate pre-dependency. * libglib2.0-doc.links: add link for gdbus-object-manager-example. -- Josselin Mouette j...@debian.org Sat, 22 Sep 2012 17:59:34 +0200 glib2.0 (2.33.12+really2.32.3-2) unstable; urgency=low * Explicitly set the shlibs version to 2.32.3 to not generate overly strict dependencies for udeb packages. -- Michael Biebl bi...@debian.org Wed, 19 Sep 2012 21:25:56 +0200 glib2.0 (2.33.12+really2.32.3-1) unstable; urgency=low * Brown paper bag upload * Re-upload version previously in unstable to superseded experimental-targetted version previously mistakenly uploaded there. -- Iain Lane la...@debian.org Mon, 10 Sep 2012 22:52:32 +0100 Overview of changes from GLib 2.32.3 to 2.32.4 == * Bugs fixed: 639771 g_dir_read_name() can also return NULL on error 660851 Breakage of code due to changes in the GThread... 666386 Empathy doesn't open Redirect URI with particu... 671545 Constify collect and lcopy strings in GTypeVal... 672329 memory leaks in gutils.c and glib tests 672548 g_utf8_validate: @str shouldn't end up annotat... 672889 GLib.utf8_validate does segfault 673253 Not strict enough autconf test for libelf 674452 SEGFAULT in gio contenttype test 674777 What's the (transfer) of g_variant_lookup()? 675309 gkeyfile: Fix annotations for g_key_file_load_... 675446 gfile: Plug memory leak in g_file_make_directo... 675832 Incomplete gsettings bash auto-completion 676265 GNetworkMonitor leaks a lot of memory 676277 Document that g_app_info_create_from_commandli... 676397 g_environ_* should work with NULL envp 676594 [Patch] fix g_reload_user_special_dirs_cache 676816 Add more GLIB_AVAILABLE_IN_* 677235 Clarify the comment at the top of gmarshal.list 677782 Install bash completion files in /usr/share 677817 g_key_file_to_data adds extra blank lines in so... 677952 Missing annotation for GDBusConnection signal ... 678052 g_wakeup_acknowledge is called too often. 678066 gdbus codegen does not work with python3 678273 unicode othercasing is wrong in gregex 678333 gdbus-codegen code causes warnings under -Wfloa... 678758 GTlsInteraction unlocks an unlocked mutex 678881 Test failures in /socket/timed_wait in some cas... 678941 /contenttype/guess test case failure 678944 gio returns the wrong default applications for ... 678949 wrong definition of ulong_bool for 64 bit big e... 678959 /mainloop/timeouts race condition: assertion fa... 679258 The 'Since' tag for G_SOURCE_CONTINUE and G_SOU... 679671 Misc fixes for g_dbus_node_info_new_for_xml 679813 Documentation bug on http://developer.gnome.org... The full diff is attached, stripped of the autogenerated parts. It is quite large, but most of it consists in documentation improvements and function decorators. There are also quite a number of bugs fixed - the release is bugfix only so large changes are not included. In order to avoid having the ugly version number in a release, I propose to let this version age for 10 days in unstable, then re-upload it to testing with the 2.32.4-1 version number. Thanks for considering, -- .''`. Josselin Mouette : :' : `. `' `- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org