Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1

2012-10-14 Thread Niels Thykier 
Control: tag -1 pending d-i

On 2012-10-06 02:44, Josselin Mouette wrote:
 I have just uploaded version 2.33.12+really2.32.4-2 because of a
 security vulnerability:
 
 glib2.0 (2.33.12+really2.32.4-2) unstable; urgency=medium
 
   * Revert link adding for gdbus-object-manager-example. While it is 
 useful to have in /usr/share/doc as an example, it must not be 
 shipped with the system documentation.
   * 20_glib-compile-resources_leak.patch: new patch. Fix a leak 
 introduced in version 2.32.4. Thanks Niels Thykier!
   * SECURITY: add 11_CVE-2012-3524_setuid.patch from upstream. Prevents 
 using DBus in a setuid binary. Fixes CVE-2012-3524.
 
 Attached is the diff between -1 and -2.
 
 Cheers,

Unblock added, unblock-udeb pending d-i approval.

Thanks,
~Niels


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1

2012-10-05 Thread Josselin Mouette 
I have just uploaded version 2.33.12+really2.32.4-2 because of a
security vulnerability:

glib2.0 (2.33.12+really2.32.4-2) unstable; urgency=medium

  * Revert link adding for gdbus-object-manager-example. While it is 
useful to have in /usr/share/doc as an example, it must not be 
shipped with the system documentation.
  * 20_glib-compile-resources_leak.patch: new patch. Fix a leak 
introduced in version 2.32.4. Thanks Niels Thykier!
  * SECURITY: add 11_CVE-2012-3524_setuid.patch from upstream. Prevents 
using DBus in a setuid binary. Fixes CVE-2012-3524.

Attached is the diff between -1 and -2.

Cheers,
-- 
 .''`.  Josselin Mouette
: :' :
`. `'
  `-
Index: debian/control
===
Index: debian/patches/11_CVE-2012-3524_setuid.patch
===
--- debian/patches/11_CVE-2012-3524_setuid.patch	(.../2.33.12+really2.32.4-1)	(révision 0)
+++ debian/patches/11_CVE-2012-3524_setuid.patch	(.../2.33.12+really2.32.4-2)	(révision 35895)
@@ -0,0 +1,247 @@
+From 4c2928a54482913cf236bff0e66650a8f47e17ea Mon Sep 17 00:00:00 2001
+From: Colin Walters walt...@verbum.org
+Date: Wed, 22 Aug 2012 18:26:11 +
+Subject: CVE-2012-3524: Hardening for being run in a setuid environment
+
+Some programs attempt to use libglib (or even libgio) when setuid.
+For a long time, GTK+ simply aborted if launched in this
+configuration, but we never had a real policy for GLib.
+
+I'm not sure whether we should advertise such support.  However, given
+that there are real-world programs that do this currently, we can make
+them safer with not too much effort.
+
+Better to fix a problem caused by an interaction between two
+components in *both* places if possible.
+
+This patch adds a private function g_check_setuid() which is used to
+first ensure we don't run an external dbus-launch binary if
+DBUS_SESSION_BUS_ADDRESS isn't set.
+
+Second, we also ensure the local VFS is used in this case.  The
+gdaemonvfs extension point will end up talking to the session bus
+which is typically undesirable in a setuid context.
+
+Implementing g_check_setuid() is interesting - whether or not we're
+running in a privilege-escalated path is operating system specific.
+Note that GTK+'s code to check euid versus uid worked historically on
+Unix, more modern systems have filesystem capabilities and SELinux
+domain transitions, neither of which are captured by the uid
+comparison.
+
+On Linux/glibc, the way this works is that the kernel sets an
+AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
+startup.  If found, then glibc sets a public-but-undocumented
+__libc_enable_secure variable which we can use.  Unfortunately, while
+it *previously* worked to check this variable, a combination of newer
+binutils and RPM break it:
+http://www.openwall.com/lists/owl-dev/2012/08/14/1
+
+So for now on Linux/glibc, we fall back to the historical Unix version
+until we get glibc fixed.
+
+On some BSD variants, there is a issetugid() function.  On other Unix
+variants, we fall back to what GTK+ has been doing.
+
+Reported-By: Sebastian Krahmer krah...@suse.de
+Signed-off-by: Colin Walters walt...@verbum.org
+---
+diff --git a/configure.ac b/configure.ac
+index 584df1d..67ea1a9 100644
+--- a/configure.ac
 b/configure.ac
+@@ -583,9 +583,20 @@ AC_TRY_COMPILE([#include dirent.h], [DIR *dir;],
+ # Checks for library functions.
+ AC_FUNC_VPRINTF
+ AC_FUNC_ALLOCA
+-AC_CHECK_FUNCS(mmap posix_memalign memalign valloc fsync pipe2)
++AC_CHECK_FUNCS(mmap posix_memalign memalign valloc fsync pipe2 issetugid)
+ AC_CHECK_FUNCS(atexit on_exit timegm gmtime_r)
+ 
++AC_CACHE_CHECK([for __libc_enable_secure], glib_cv_have_libc_enable_secure,
++  [AC_TRY_LINK([#include unistd.h
++extern int __libc_enable_secure;],
++[return __libc_enable_secure;],
++   glib_cv_have_libc_enable_secure=yes,
++   glib_cv_have_libc_enable_secure=no)])
++AS_IF([test x$glib_cv_have_libc_enable_secure = xyes], [
++   AC_DEFINE(HAVE_LIBC_ENABLE_SECURE, 1,
++ [Define if you have the __libc_enable_secure variable (GNU libc, eglibc)])
++])
++
+ AC_CHECK_SIZEOF(char)
+ AC_CHECK_SIZEOF(short)
+ AC_CHECK_SIZEOF(long)
+@@ -984,7 +995,7 @@ AC_MSG_RESULT(unsigned $glib_size_type)
+ 
+ # Check for some functions
+ AC_CHECK_FUNCS(lstat strerror strsignal memmove vsnprintf stpcpy strcasecmp strncasecmp poll getcwd vasprintf setenv unsetenv getc_unlocked readlink symlink fdwalk memmem)
+-AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link utimes getgrgid getpwuid)
++AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link utimes getgrgid getpwuid getresuid)
+ AC_CHECK_FUNCS(getmntent_r setmntent endmntent hasmntopt getfsstat getvfsstat)
+ # Check for high-resolution sleep functions
+ AC_CHECK_FUNCS(splice)
+diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
+index 4aa13b9..96b6343 100644
+--- a/gio/gdbusaddress.c
 b/gio/gdbusaddress.c
+@@ -37,6 +37,7 @@

Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1

2012-09-28 Thread Niels Thykier 
Control: tags -1 moreinfo

On 2012-09-25 11:03, Josselin Mouette wrote:
 This bug didn’t make it through the list at first because the diff is
 too large.
 
 Le dimanche 23 septembre 2012 à 13:16 +0200, Josselin Mouette a écrit : 
 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: unblock

 Hi,

 I just uploaded a new glib2.0 package to unstable. The differences to 
 testing are:

   [...]


 The full diff is attached, stripped of the autogenerated parts. It is 
 quite large, but most of it consists in documentation improvements and 
 function decorators. There are also quite a number of bugs fixed - the 
 release is bugfix only so large changes are not included.

 In order to avoid having the ugly version number in a release, I propose 
 to let this version age for 10 days in unstable, then re-upload it to 
 testing with the 2.32.4-1 version number.

 Thanks for considering,
 

Hi,

The diff looks mostly reasonable, though I have one case where it seems
to me that the new version introduces a leak (see attached glib.leak).

Other than that, I think it may have to wait until the next d-i beta is
out.  Personally I do not mind the extra couple of days in unstable as
the diff is rather large and I could quite possibly have missed something.

Also, on the part of (re-)uploading it as 2.32.{4,5}-1 via t-p-u.  I am
not sure it is an acceptable use of t-p-u, so my default would be no
on this.

~Niels

It seems to me that stderr_child may be leaked when goto cleanup paths are 
taken?

diff -Nru glib2.0-2.32.3/gio/glib-compile-resources.c 
glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c
--- glib2.0-2.32.3/gio/glib-compile-resources.c 2012-03-29 22:43:04.0 
+
+++ glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c   2012-07-14 
20:33:11.0 +
@@ -272,6 +272,7 @@
   if (state-preproc_options)
 {
   gchar **options;
+  gchar *stderr_child = NULL;
   guint i;
   gboolean xml_stripblanks = FALSE;
   gboolean to_pixdata = FALSE;
@@ -324,9 +325,8 @@
   g_assert (argc = G_N_ELEMENTS (argv));
 
   if (!g_spawn_sync (NULL /* cwd */, argv, NULL /* envv */,
- G_SPAWN_STDOUT_TO_DEV_NULL |
- G_SPAWN_STDERR_TO_DEV_NULL,
- NULL, NULL, NULL, NULL, status, my_error))
+ G_SPAWN_STDOUT_TO_DEV_NULL,
+ NULL, NULL, NULL, stderr_child, status, 
my_error))
 {
   g_propagate_error (error, my_error);
   goto cleanup;
@@ -334,12 +334,13 @@
 #ifdef HAVE_SYS_WAIT_H
   if (!WIFEXITED (status) || WEXITSTATUS (status) != 0)
 {
-  g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-  _(Error processing input file with 
xmllint));
+  g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+   _(Error processing input file with 
xmllint:\n%s), stderr_child);
   goto cleanup;
 }
 #endif
 
+  g_free (stderr_child);
   g_free (real_file);
   real_file = g_strdup (tmp_file);
 }
@@ -347,6 +348,7 @@
   if (to_pixdata)
 {
   gchar *argv[4];
+  gchar *stderr_child = NULL;
   int status, fd, argc;
 
   if (gdk_pixbuf_pixdata == NULL)
@@ -379,9 +381,8 @@
   g_assert (argc = G_N_ELEMENTS (argv));
 
   if (!g_spawn_sync (NULL /* cwd */, argv, NULL /* envv */,
- G_SPAWN_STDOUT_TO_DEV_NULL |
- G_SPAWN_STDERR_TO_DEV_NULL,
- NULL, NULL, NULL, NULL, status, my_error))
+ G_SPAWN_STDOUT_TO_DEV_NULL,
+ NULL, NULL, NULL, stderr_child, status, 
my_error))
 {
   g_propagate_error (error, my_error);
   goto cleanup;
@@ -389,12 +390,13 @@
 #ifdef HAVE_SYS_WAIT_H
   if (!WIFEXITED (status) || WEXITSTATUS (status) != 0)
 {
-  g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-  _(Error processing input file with 
to-pixdata));
+  g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+  _(Error processing input file with 
to-pixdata:\n%s), stderr_child);
   goto cleanup;
 }
 #endif
 
+  g_free (stderr_child);
   g_free (real_file);
   real_file = g_strdup (tmp_file2);
 }
end of chunks for this file

Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1

2012-09-28 Thread Josselin Mouette 
Le vendredi 28 septembre 2012 à 12:56 +0200, Niels Thykier a écrit : 
 The diff looks mostly reasonable, though I have one case where it seems
 to me that the new version introduces a leak (see attached glib.leak).

Thanks for the thorough review.

I have committed a fix for the leak in our SVN and reported it upstream.
Note that it has a small impact since it only affects
glib-compile-resources, not the library itself.

Changes currently sitting in our svn are attached (since they also
target wheezy).

 Other than that, I think it may have to wait until the next d-i beta is
 out.  Personally I do not mind the extra couple of days in unstable as
 the diff is rather large and I could quite possibly have missed something.

Sure.

 Also, on the part of (re-)uploading it as 2.32.{4,5}-1 via t-p-u.  I am
 not sure it is an acceptable use of t-p-u, so my default would be no
 on this.

As you wish. It is mostly a cosmetic issue.

Cheers,
-- 
 .''`.  Josselin Mouette
: :' :
`. `'
  `-
Index: debian/libglib2.0-doc.links
===
--- debian/libglib2.0-doc.links	(révision 35787)
+++ debian/libglib2.0-doc.links	(copie de travail)
@@ -2,4 +2,3 @@
 usr/share/doc/libglib2.0-doc/gio usr/share/gtk-doc/html/gio
 usr/share/doc/libglib2.0-doc/glib usr/share/gtk-doc/html/glib
 usr/share/doc/libglib2.0-doc/gobject usr/share/gtk-doc/html/gobject
-usr/share/doc/libglib2.0-doc/gdbus-object-manager-example usr/share/gtk-doc/html/gdbus-object-manager-example
Index: debian/patches/20_glib-compile-resources_leak.patch
===
--- debian/patches/20_glib-compile-resources_leak.patch	(révision 0)
+++ debian/patches/20_glib-compile-resources_leak.patch	(révision 35834)
@@ -0,0 +1,36 @@
+Index: glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c
+===
+--- glib2.0-2.33.12+really2.32.4.orig/gio/glib-compile-resources.c	2012-07-14 22:33:11.0 +0200
 glib2.0-2.33.12+really2.32.4/gio/glib-compile-resources.c	2012-09-28 21:32:32.168548276 +0200
+@@ -272,7 +272,6 @@ end_element (GMarkupParseContext  *conte
+   if (state-preproc_options)
+ {
+   gchar **options;
+-  gchar *stderr_child = NULL;
+   guint i;
+   gboolean xml_stripblanks = FALSE;
+   gboolean to_pixdata = FALSE;
+@@ -298,6 +297,7 @@ end_element (GMarkupParseContext  *conte
+   if (xml_stripblanks  xmllint != NULL)
+ {
+   gchar *argv[8];
++  gchar *stderr_child = NULL;
+   int status, fd, argc;
+ 
+   tmp_file = g_strdup (resource-);
+@@ -336,6 +336,7 @@ end_element (GMarkupParseContext  *conte
+ {
+   g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+_(Error processing input file with xmllint:\n%s), stderr_child);
++  g_free (stderr_child);
+   goto cleanup;
+ }
+ #endif
+@@ -392,6 +393,7 @@ end_element (GMarkupParseContext  *conte
+ {
+   g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+ 			   _(Error processing input file with to-pixdata:\n%s), stderr_child);
++  g_free (stderr_child);
+   goto cleanup;
+ }
+ #endif
Index: debian/patches/series
===
--- debian/patches/series	(révision 35787)
+++ debian/patches/series	(copie de travail)
@@ -4,6 +4,7 @@
 04_homedir_env.patch
 05_run-gio-tests-with-a-dbus-session.patch
 10_gdbus_race.patch
+20_glib-compile-resources_leak.patch
 61_glib-compile-binaries-path.patch
 90_gio-modules-multiarch-compat.patch
 91_revert_schema_path_warning.patch
Index: debian/changelog
===
--- debian/changelog	(révision 35787)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,13 @@
+glib2.0 (2.33.12+really2.32.4-2) UNRELEASED; urgency=low
+
+  * Revert link adding for gdbus-object-manager-example. While it is 
+useful to have in /usr/share/doc as an example, it must not be 
+shipped with the system documentation.
+  * 20_glib-compile-resources_leak.patch: new patch. Fix a leak 
+introduced in version 2.32.4. Thanks Niels Thykier!
+
+ -- Josselin Mouette j...@debian.org  Sun, 23 Sep 2012 13:26:33 +0200
+
 glib2.0 (2.33.12+really2.32.4-1) unstable; urgency=low
 
   * New upstream bugfix release.

Bug#688512: unblock or tpu: glib2.0/2.33.12+really2.32.4-1

2012-09-25 Thread Josselin Mouette 
This bug didn’t make it through the list at first because the diff is
too large.

Le dimanche 23 septembre 2012 à 13:16 +0200, Josselin Mouette a écrit : 
 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: unblock
 
 Hi,
 
 I just uploaded a new glib2.0 package to unstable. The differences to 
 testing are:
 
 glib2.0 (2.33.12+really2.32.4-1) unstable; urgency=low
 
   * New upstream bugfix release.
   * 10_gdbus_race.patch: stolen from upstream git. Fix a race condition 
 that would make gnome-shell crash on startup under some conditions.
   * libglib2.0-bin.install: bash completions have moved to /usr/share.
   * libglib2.0-bin.maintscript: remove old conffiles.
   * Add appropriate pre-dependency.
   * libglib2.0-doc.links: add link for gdbus-object-manager-example.
 
  -- Josselin Mouette j...@debian.org  Sat, 22 Sep 2012 17:59:34 +0200
 
 glib2.0 (2.33.12+really2.32.3-2) unstable; urgency=low
 
   * Explicitly set the shlibs version to 2.32.3 to not generate overly strict
 dependencies for udeb packages.
 
  -- Michael Biebl bi...@debian.org  Wed, 19 Sep 2012 21:25:56 +0200
 
 glib2.0 (2.33.12+really2.32.3-1) unstable; urgency=low
 
   * Brown paper bag upload
   * Re-upload version previously in unstable to superseded
 experimental-targetted version previously mistakenly uploaded there.
 
  -- Iain Lane la...@debian.org  Mon, 10 Sep 2012 22:52:32 +0100
 
 Overview of changes from GLib 2.32.3 to 2.32.4
 ==
 
 * Bugs fixed:
  639771 g_dir_read_name() can also return NULL on error
  660851 Breakage of code due to changes in the GThread...
  666386 Empathy doesn't open Redirect URI with particu...
  671545 Constify collect and lcopy strings in GTypeVal...
  672329 memory leaks in gutils.c and glib tests
  672548 g_utf8_validate: @str shouldn't end up annotat...
  672889 GLib.utf8_validate does segfault
  673253 Not strict enough autconf test for libelf
  674452 SEGFAULT in gio contenttype test
  674777 What's the (transfer) of g_variant_lookup()?
  675309 gkeyfile: Fix annotations for g_key_file_load_...
  675446 gfile: Plug memory leak in g_file_make_directo...
  675832 Incomplete gsettings bash auto-completion
  676265 GNetworkMonitor leaks a lot of memory
  676277 Document that g_app_info_create_from_commandli...
  676397 g_environ_* should work with NULL envp
  676594 [Patch] fix g_reload_user_special_dirs_cache
  676816 Add more GLIB_AVAILABLE_IN_*
  677235 Clarify the comment at the top of gmarshal.list
  677782 Install bash completion files in /usr/share
  677817 g_key_file_to_data adds extra blank lines in so...
  677952 Missing annotation for GDBusConnection signal ...
  678052 g_wakeup_acknowledge is called too often.
  678066 gdbus codegen does not work with python3
  678273 unicode othercasing is wrong in gregex
  678333 gdbus-codegen code causes warnings under -Wfloa...
  678758 GTlsInteraction unlocks an unlocked mutex
  678881 Test failures in /socket/timed_wait in some cas...
  678941 /contenttype/guess test case failure
  678944 gio returns the wrong default applications for ...
  678949 wrong definition of ulong_bool for 64 bit big e...
  678959 /mainloop/timeouts race condition: assertion fa...
  679258 The 'Since' tag for G_SOURCE_CONTINUE and G_SOU...
  679671 Misc fixes for g_dbus_node_info_new_for_xml
  679813 Documentation bug on http://developer.gnome.org...
 
 
 The full diff is attached, stripped of the autogenerated parts. It is 
 quite large, but most of it consists in documentation improvements and 
 function decorators. There are also quite a number of bugs fixed - the 
 release is bugfix only so large changes are not included.
 
 In order to avoid having the ugly version number in a release, I propose 
 to let this version age for 10 days in unstable, then re-upload it to 
 testing with the 2.32.4-1 version number.
 
 Thanks for considering,

-- 
 .''`.  Josselin Mouette
: :' :
`. `'
  `-


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org