Bug#929955: unblock: gnome-desktop3/3.30.2.1-2

Simon McVittie Tue, 04 Jun 2019 01:51:25 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package gnome-desktop3. This fixes #928732 (CVE-2019-11460)
which is a flaw in some intended security hardening: essentially the same
bug as #925541 in flatpak and #928054 in nautilus.

unblock gnome-desktop3/3.30.2.1-2

Thanks,
    smcv

diffstat for gnome-desktop3-3.30.2.1 gnome-desktop3-3.30.2.1

 changelog                                                  |   15 ++++++
 gbp.conf                                                   |    4 -
 patches/series                                             |    1 
 patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch |   29 +++++++++++++
 watch                                                      |    2 
 5 files changed, 48 insertions(+), 3 deletions(-)

diff -Nru gnome-desktop3-3.30.2.1/debian/changelog gnome-desktop3-3.30.2.1/debian/changelog
--- gnome-desktop3-3.30.2.1/debian/changelog	2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/changelog	2019-06-03 23:16:42.000000000 +0100
@@ -1,3 +1,18 @@
+gnome-desktop3 (3.30.2.1-2) unstable; urgency=medium
+
+  * Team upload
+  * d/gbp.conf: Configure branches for Debian buster and GNOME 3.30.x
+  * d/watch: Only watch for 3.30.x versions
+  * d/p/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch:
+    Import the only non-build-system change from upstream release 3.30.2.3
+    to fix incomplete TIOCSTI ioctl filtering, which could be a vector for
+    privilege escalation if a thumbnailer with a security vulnerability is
+    run on a crafted malicious image by a program that uses libgnome-desktop
+    and was run from an interactive terminal.
+    (Closes: #928732, CVE-2019-11460)
+
+ -- Simon McVittie <s...@debian.org>  Mon, 03 Jun 2019 23:16:42 +0100
+
 gnome-desktop3 (3.30.2.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gnome-desktop3-3.30.2.1/debian/gbp.conf gnome-desktop3-3.30.2.1/debian/gbp.conf
--- gnome-desktop3-3.30.2.1/debian/gbp.conf	2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/gbp.conf	2019-06-03 23:16:42.000000000 +0100
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
-upstream-branch = upstream/latest
+debian-branch = debian/buster
+upstream-branch = upstream/3.30.x
 upstream-vcs-tag = %(version)s
 
 [buildpackage]
diff -Nru gnome-desktop3-3.30.2.1/debian/patches/series gnome-desktop3-3.30.2.1/debian/patches/series
--- gnome-desktop3-3.30.2.1/debian/patches/series	2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/patches/series	2019-06-03 23:16:42.000000000 +0100
@@ -0,0 +1 @@
+thumbnailer-fix-incomplete-TIOCSTI-filtering.patch
diff -Nru gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch
--- gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnome-desktop3-3.30.2.1/debian/patches/thumbnailer-fix-incomplete-TIOCSTI-filtering.patch	2019-06-03 23:16:42.000000000 +0100
@@ -0,0 +1,29 @@
+From: Michael Catanzaro <mcatanz...@igalia.com>
+Date: Sat, 13 Apr 2019 13:57:36 -0500
+Subject: thumbnailer: fix incomplete TIOCSTI filtering
+
+Fixes #112
+
+See also: https://github.com/flatpak/flatpak/issues/2782
+
+Origin: upstream, 3.30.2.2, commit:83949ed5800ec99953f5ee8d2bf8b90a69daa850
+Bug: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928732
+Bug-CVE: CVE-2019-11460
+---
+ libgnome-desktop/gnome-desktop-thumbnail-script.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgnome-desktop/gnome-desktop-thumbnail-script.c b/libgnome-desktop/gnome-desktop-thumbnail-script.c
+index 9468b51..3b3d1ea 100644
+--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
++++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
+@@ -343,7 +343,7 @@ setup_seccomp (GPtrArray  *argv_array,
+     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ 
+     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+-    {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
++    {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
+   };
+ 
+   struct
diff -Nru gnome-desktop3-3.30.2.1/debian/watch gnome-desktop3-3.30.2.1/debian/watch
--- gnome-desktop3-3.30.2.1/debian/watch	2019-02-05 23:03:26.000000000 +0000
+++ gnome-desktop3-3.30.2.1/debian/watch	2019-06-03 23:16:42.000000000 +0100
@@ -1,3 +1,3 @@
 version=4
-https://download.gnome.org/sources/gnome-desktop/([\d\.]+[02468])/ \
+https://download.gnome.org/sources/gnome-desktop/(3\.30)/ \
 	gnome-desktop@ANY_VERSION@\.tar\.xz

Bug#929955: unblock: gnome-desktop3/3.30.2.1-2

Reply via email to