Please backport two recent-manager patches

Bug #1641912 reported by Curaga on 2016-11-15
38
This bug affects 4 people
Affects Status Importance Assigned to Milestone
GTK+
Fix Released
Medium
gtk+2.0 (Ubuntu)
Critical
Simon Quigley
Xenial
Critical
Simon Quigley
Yakkety
Critical
Unassigned
Zesty
Critical
Simon Quigley
Artful
Critical
Simon Quigley

Bug Description

[Impact]

Without these fixes, a specially crafted GTK program can cause a Denial of Service attack on any machine with open GTK programs.

[Test Case]

In the GitHub issue against mate-panel, an individual with the GitHub username clbr wrote a Proof of Concept that can be used to demonstrate that this bug is affecting the system, and this is found here: http://pastebin.ca/3733209

The commenter reports that the Proof of Concept can be built with the following command:
gcc -o killer killer.c `pkg-config --cflags --libs gtk+-2.0`

[Regression Potential]

This fix has been uploaded to Artful and has passed to artful-release, causing no installability problems or autopkgtest regressions.

As for the fix itself, there was already a regression spotted, but the patch fixing that regression has been spotted and also fixed in this upload. Since it is putting a limit on the list's size, although this is highly unlikely at this point in time, epgfm on the GitHub issue points out the following:

"...

However, the incoming fix set a large number of items (1000) as a hard limit.

...

Does an application really needs to store 1K recent files? I think even the badassest screen you can possibly buy now wouldn't have enough vertical space to display them all."

Should there be the unlikely event that a program needs to use that many recent files, the program will have some issues, but that is a bug in the program that needs to use that many recent files, not GTK itself.

tl;dr low regression potential, where there will be regressions is excessively large GTK programs, but that is a bug in the program itself for taking up that much space, not GTK.

[Original Description]

https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e
https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca

Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here:
https://github.com/mate-desktop/mate-panel/issues/479

For the GTK3 version of this bug, see bug 1641914
Note that MATE is GTK2 only for Ubuntu 16.04 LTS.

Changed in gtk+2.0 (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) on 2016-11-22
tags: added: xenial yakkety zesty
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gtk+2.0 (Ubuntu Xenial):
status: New → Confirmed
Changed in gtk+2.0 (Ubuntu Yakkety):
status: New → Confirmed
Jeremy Bicha (jbicha) on 2016-11-22
description: updated
Changed in gtk:
importance: Unknown → Medium
status: Unknown → Fix Released
Changed in gtk+2.0 (Ubuntu):
importance: Undecided → Critical
Changed in gtk+2.0 (Ubuntu Xenial):
importance: Undecided → Critical
Changed in gtk+2.0 (Ubuntu Yakkety):
importance: Undecided → Critical
Changed in gtk+2.0 (Ubuntu):
importance: Critical → High
Changed in gtk+2.0 (Ubuntu Xenial):
importance: Critical → High
importance: High → Critical
Changed in gtk+2.0 (Ubuntu):
importance: High → Critical
Martin Wimpress (flexiondotorg) wrote :

Yakkety 16.10 goes EOL this month.

Changed in gtk+2.0 (Ubuntu Yakkety):
status: Confirmed → Won't Fix
Simon Quigley (tsimonq2) on 2017-07-20
Changed in gtk+2.0 (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
status: Confirmed → In Progress
Changed in gtk+2.0 (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
status: Confirmed → In Progress
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Xenial applicable to 2.24.30-1ubuntu1.16.04.1.

Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Zesty applicable to 2.24.31-1ubuntu1.

Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Artful applicable to 2.24.31-1ubuntu1.

Changed in gtk+2.0 (Ubuntu Zesty):
status: New → In Progress
importance: Undecided → Critical
Simon Quigley (tsimonq2) on 2017-07-27
Changed in gtk+2.0 (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.31-1ubuntu2

---------------
gtk+2.0 (2.24.31-1ubuntu2) artful; urgency=medium

  * Add debian/patches/lp1641912-add-limit-to-list-size.patch, which fixes a
    DOS allowing any application to cause all GTK applications to use an
    arbitrary amount of memory (LP: #1641912).

 -- Simon Quigley <email address hidden> Thu, 20 Jul 2017 16:52:59 -0500

Changed in gtk+2.0 (Ubuntu Artful):
status: In Progress → Fix Released
Łukasz Zemczak (sil2100) wrote :

Hello! Thank you for preparing and uploading the fix for our stable releases. For us to be able to properly review your SRU we would need some more information included in this bug. Please update the bug description to include the SRU template as found here:
https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

We need to know what impact this bug has (how much the fixes better the current situation?), a reliable test case and a quick analysis of possible regression scenarios after the fix has been applied (looking at the changes and thinking: what could possibly go wrong in the worst scenario?).

Thank you!

Simon Quigley (tsimonq2) wrote :

Hello Łukasz!

I have updated the bug report to follow the SRU documentation (apologies, I spaced filling out the bug report).

description: updated
Łukasz Zemczak (sil2100) wrote :

Thank you! This is exactly what I needed, especially the regression potential field - very good!

Changed in gtk+2.0 (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty

Hello Curaga, or anyone else affected,

Accepted gtk+2.0 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gtk+2.0/2.24.31-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Łukasz Zemczak (sil2100) wrote :

Hello Curaga, or anyone else affected,

Accepted gtk+2.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gtk+2.0/2.24.30-1ubuntu1.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gtk+2.0 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial

Tested the POC against version 2.24.31-1ubuntu1.1 from zesty-proposed. Updated package fixes the bug.

tags: added: verification-done-zesty
removed: verification-needed-zesty

Tested the POC against version 2.24.30-1ubuntu1.16.04.2 from xenial-proposed.
Updated package fixes the bug.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Simon Quigley (tsimonq2) on 2017-08-03
tags: added: artful
removed: verification-needed yakkety
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.31-1ubuntu1.1

---------------
gtk+2.0 (2.24.31-1ubuntu1.1) zesty; urgency=medium

  * Add debian/patches/lp1641912-add-limit-to-list-size.patch, which fixes a
    DOS allowing any application to cause all GTK applications to use an
    arbitrary amount of memory (LP: #1641912).

 -- Simon Quigley <email address hidden> Thu, 20 Jul 2017 16:52:59 -0500

Changed in gtk+2.0 (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for gtk+2.0 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.30-1ubuntu1.16.04.2

---------------
gtk+2.0 (2.24.30-1ubuntu1.16.04.2) xenial; urgency=medium

  * Add debian/patches/lp1641912-add-limit-to-list-size.patch, which fixes a
    DOS allowing any application to cause all GTK applications to use an
    arbitrary amount of memory (LP: #1641912).

 -- Simon Quigley <email address hidden> Thu, 20 Jul 2017 16:29:53 -0500

Changed in gtk+2.0 (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.