Activity log for bug #1641912

Date Who What changed Old value New value Message
2016-11-15 11:02:31 Curaga bug added bug
2016-11-18 10:19:12 Etienne Papegnies gtk+2.0 (Ubuntu): status New Confirmed
2016-11-18 13:22:12 Etienne Papegnies bug added subscriber Etienne Papegnies
2016-11-22 21:32:43 Jeremy Bícha tags xenial yakkety zesty
2016-11-22 21:32:51 Jeremy Bícha nominated for series Ubuntu Yakkety
2016-11-22 21:32:51 Jeremy Bícha bug task added gtk+2.0 (Ubuntu Yakkety)
2016-11-22 21:32:51 Jeremy Bícha nominated for series Ubuntu Xenial
2016-11-22 21:32:51 Jeremy Bícha bug task added gtk+2.0 (Ubuntu Xenial)
2016-11-22 21:32:59 Launchpad Janitor gtk+2.0 (Ubuntu Xenial): status New Confirmed
2016-11-22 21:32:59 Launchpad Janitor gtk+2.0 (Ubuntu Yakkety): status New Confirmed
2016-11-22 21:37:29 Jeremy Bícha bug watch added https://bugzilla.gnome.org/show_bug.cgi?id=773587
2016-11-22 21:37:29 Jeremy Bícha bug task added gtk
2016-11-22 21:38:19 Jeremy Bícha description https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here: https://github.com/mate-desktop/mate-panel/issues/479 https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here: https://github.com/mate-desktop/mate-panel/issues/479 For the GTK3 version of this bug, see bug 1641914 Note that MATE is GTK2 only for Ubuntu 16.04 LTS.
2016-11-23 00:35:15 Bug Watch Updater gtk: status Unknown Fix Released
2016-11-23 00:35:15 Bug Watch Updater gtk: importance Unknown Medium
2016-12-21 07:28:07 Alberto Salvia Novella gtk+2.0 (Ubuntu): importance Undecided Critical
2016-12-21 07:28:10 Alberto Salvia Novella gtk+2.0 (Ubuntu Xenial): importance Undecided Critical
2016-12-21 07:28:11 Alberto Salvia Novella gtk+2.0 (Ubuntu Yakkety): importance Undecided Critical
2016-12-21 07:28:27 Alberto Salvia Novella gtk+2.0 (Ubuntu): importance Critical High
2016-12-21 07:28:29 Alberto Salvia Novella gtk+2.0 (Ubuntu Xenial): importance Critical High
2016-12-21 07:28:37 Alberto Salvia Novella gtk+2.0 (Ubuntu Xenial): importance High Critical
2016-12-21 07:28:39 Alberto Salvia Novella gtk+2.0 (Ubuntu): importance High Critical
2017-07-11 08:06:35 Martin Wimpress  gtk+2.0 (Ubuntu Yakkety): status Confirmed Won't Fix
2017-07-20 16:37:23 Martin Wimpress  nominated for series Ubuntu Zesty
2017-07-20 16:37:23 Martin Wimpress  nominated for series Ubuntu Artful
2017-07-20 22:00:57 Simon Quigley gtk+2.0 (Ubuntu Xenial): assignee Simon Quigley (tsimonq2)
2017-07-20 22:01:00 Simon Quigley gtk+2.0 (Ubuntu Xenial): status Confirmed In Progress
2017-07-20 22:01:02 Simon Quigley gtk+2.0 (Ubuntu): assignee Simon Quigley (tsimonq2)
2017-07-20 22:01:04 Simon Quigley gtk+2.0 (Ubuntu): status Confirmed In Progress
2017-07-21 00:42:57 Simon Quigley attachment added 1-2.24.30-1ubuntu1.16.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1641912/+attachment/4918508/+files/1-2.24.30-1ubuntu1.16.04.2.debdiff
2017-07-21 01:11:26 Simon Quigley attachment added 1-2.24.31-1ubuntu1.1.debdiff https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1641912/+attachment/4918516/+files/1-2.24.31-1ubuntu1.1.debdiff
2017-07-21 01:11:38 Simon Quigley bug added subscriber Simon Quigley
2017-07-21 01:14:01 Simon Quigley attachment added 1-2.24.31-1ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1641912/+attachment/4918517/+files/1-2.24.31-1ubuntu2.debdiff
2017-07-21 01:14:34 Simon Quigley bug added subscriber Ubuntu Sponsors Team
2017-07-27 15:58:36 Gianfranco Costamagna bug task added gtk+2.0 (Ubuntu Artful)
2017-07-27 15:58:47 Gianfranco Costamagna bug task added gtk+2.0 (Ubuntu Zesty)
2017-07-27 16:01:50 Gianfranco Costamagna gtk+2.0 (Ubuntu Zesty): status New In Progress
2017-07-27 16:01:53 Gianfranco Costamagna gtk+2.0 (Ubuntu Zesty): importance Undecided Critical
2017-07-27 16:20:16 Simon Quigley gtk+2.0 (Ubuntu Zesty): assignee Simon Quigley (tsimonq2)
2017-07-30 01:48:07 Launchpad Janitor gtk+2.0 (Ubuntu Artful): status In Progress Fix Released
2017-08-02 03:00:33 Simon Quigley removed subscriber Ubuntu Sponsors Team
2017-08-02 10:22:03 Simon Quigley description https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here: https://github.com/mate-desktop/mate-panel/issues/479 For the GTK3 version of this bug, see bug 1641914 Note that MATE is GTK2 only for Ubuntu 16.04 LTS. [Impact] Without these fixes, a specially crafted GTK program can cause a Denial of Service attack on any machine with open GTK programs. [Test Case] In the GitHub issue against mate-panel, an individual with the GitHub username clbr wrote a Proof of Concept that can be used to demonstrate that this bug is affecting the system, and this is found here: http://pastebin.ca/3733209 The commenter reports that the Proof of Concept can be built with the following command: gcc -o killer killer.c `pkg-config --cflags --libs gtk+-2.0` [Regression Potential] This fix has been uploaded to Artful and has passed to artful-release, causing no installability problems or autopkgtest regressions. As for the fix itself, there was already a regression spotted, but the patch fixing that regression has been spotted and also fixed in this upload. Since it is putting a limit on the list's size, although this is highly unlikely at this point in time, epgfm on the GitHub issue points out the following: "... However, the incoming fix set a large number of items (1000) as a hard limit. ... Does an application really needs to store 1K recent files? I think even the badassest screen you can possibly buy now wouldn't have enough vertical space to display them all." Should there be the unlikely event that a program needs to use that many recent files, the program will have some issues, but that is a bug in the program that needs to use that many recent files, not GTK itself. tl;dr low regression potential, where there will be regressions is excessively large GTK programs, but that is a bug in the program itself for taking up that much space, not GTK. [Original Description] https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=a3b2d6a65be9f592de9570c227df00f910167e9e https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=35871edb318083b2d7e4758cbdaad6109eed60ca Please apply/backport these two patches from the 2.24 branch. They fix a memory DOS, originally reported against mate-panel here: https://github.com/mate-desktop/mate-panel/issues/479 For the GTK3 version of this bug, see bug 1641914 Note that MATE is GTK2 only for Ubuntu 16.04 LTS.
2017-08-02 11:54:39 Łukasz Zemczak gtk+2.0 (Ubuntu Zesty): status In Progress Fix Committed
2017-08-02 11:54:41 Łukasz Zemczak bug added subscriber Ubuntu Stable Release Updates Team
2017-08-02 11:54:44 Łukasz Zemczak bug added subscriber SRU Verification
2017-08-02 11:54:47 Łukasz Zemczak tags xenial yakkety zesty verification-needed verification-needed-zesty xenial yakkety zesty
2017-08-02 13:35:05 Łukasz Zemczak gtk+2.0 (Ubuntu Xenial): status In Progress Fix Committed
2017-08-02 13:35:14 Łukasz Zemczak tags verification-needed verification-needed-zesty xenial yakkety zesty verification-needed verification-needed-xenial verification-needed-zesty xenial yakkety zesty
2017-08-02 14:39:07 Etienne Papegnies tags verification-needed verification-needed-xenial verification-needed-zesty xenial yakkety zesty verification-done-zesty verification-needed verification-needed-xenial xenial yakkety zesty
2017-08-02 15:41:38 Etienne Papegnies tags verification-done-zesty verification-needed verification-needed-xenial xenial yakkety zesty verification-done-xenial verification-done-zesty verification-needed xenial yakkety zesty
2017-08-03 03:54:46 Simon Quigley tags verification-done-xenial verification-done-zesty verification-needed xenial yakkety zesty artful verification-done-xenial verification-done-zesty xenial zesty
2017-08-10 18:12:30 Launchpad Janitor gtk+2.0 (Ubuntu Zesty): status Fix Committed Fix Released
2017-08-10 18:12:35 Łukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2017-08-10 18:12:47 Launchpad Janitor gtk+2.0 (Ubuntu Xenial): status Fix Committed Fix Released