group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1641912] Re: Please backport two recent-manager patches

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1641912@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Aug 2017 18:12:47 -0000
Reply-to: Bug 1641912 <1641912@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package gtk+2.0 - 2.24.30-1ubuntu1.16.04.2

---------------
gtk+2.0 (2.24.30-1ubuntu1.16.04.2) xenial; urgency=medium

  * Add debian/patches/lp1641912-add-limit-to-list-size.patch, which fixes a
    DOS allowing any application to cause all GTK applications to use an
    arbitrary amount of memory (LP: #1641912).

 -- Simon Quigley <tsimonq2@xxxxxxxxxx>  Thu, 20 Jul 2017 16:29:53 -0500

** Changed in: gtk+2.0 (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1641912

Title:
  Please backport two recent-manager patches

Status in GTK+:
  Fix Released
Status in gtk+2.0 package in Ubuntu:
  Fix Released
Status in gtk+2.0 source package in Xenial:
  Fix Released
Status in gtk+2.0 source package in Yakkety:
  Won't Fix
Status in gtk+2.0 source package in Zesty:
  Fix Released
Status in gtk+2.0 source package in Artful:
  Fix Released

Bug description:
  [Impact]

  Without these fixes, a specially crafted GTK program can cause a
  Denial of Service attack on any machine with open GTK programs.

  [Test Case]

  In the GitHub issue against mate-panel, an individual with the GitHub
  username clbr wrote a Proof of Concept that can be used to demonstrate
  that this bug is affecting the system, and this is found here:
  http://pastebin.ca/3733209

  The commenter reports that the Proof of Concept can be built with the following command:
  gcc -o killer killer.c `pkg-config --cflags --libs gtk+-2.0`

  [Regression Potential]

  This fix has been uploaded to Artful and has passed to artful-release,
  causing no installability problems or autopkgtest regressions.

  As for the fix itself, there was already a regression spotted, but the
  patch fixing that regression has been spotted and also fixed in this
  upload. Since it is putting a limit on the list's size, although this
  is highly unlikely at this point in time, epgfm on the GitHub issue
  points out the following:

  "...

  However, the incoming fix set a large number of items (1000) as a hard
  limit.

  ...

  Does an application really needs to store 1K recent files? I think
  even the badassest screen you can possibly buy now wouldn't have
  enough vertical space to display them all."

  Should there be the unlikely event that a program needs to use that
  many recent files, the program will have some issues, but that is a
  bug in the program that needs to use that many recent files, not GTK
  itself.

  tl;dr low regression potential, where there will be regressions is
  excessively large GTK programs, but that is a bug in the program
  itself for taking up that much space, not GTK.

  [Original Description]

  https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e
  https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca

  Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here:
  https://github.com/mate-desktop/mate-panel/issues/479

  For the GTK3 version of this bug, see bug 1641914
  Note that MATE is GTK2 only for Ubuntu 16.04 LTS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gtk/+bug/1641912/+subscriptions