1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
|
From: Ernestas Kulik <ekulik@redhat.com>
Date: Sun, 14 Apr 2019 10:44:32 +0200
Subject: Update gnome-desktop code
Nautilus contains a copy of this code, originating in gnome-desktop3.
Fixes a potential crash during thumbnailing
Fixes thumbnailer on 32-bit systems where /lib64 is not available. Also
improve handling of usrmerged and non-usrmerged systems. (Related to LP:
Fixes CVE-2019-11461
Origin: upstream,commit:031b814d526895c612fae98ac75379e60469161b
Applied-Upstream: 3.30.6
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928054
---
src/gnome-desktop/gnome-desktop-thumbnail-script.c | 60 ++++++++++++++++++++--
src/gnome-desktop/gnome-desktop-thumbnail.c | 2 +
2 files changed, 57 insertions(+), 5 deletions(-)
diff --git a/src/gnome-desktop/gnome-desktop-thumbnail-script.c b/src/gnome-desktop/gnome-desktop-thumbnail-script.c
index 14e2fed..8e8b876 100644
--- a/src/gnome-desktop/gnome-desktop-thumbnail-script.c
+++ b/src/gnome-desktop/gnome-desktop-thumbnail-script.c
@@ -343,7 +343,7 @@ setup_seccomp (GPtrArray *argv_array,
{SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
- {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
+ {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
};
struct
@@ -506,22 +506,72 @@ setup_seccomp (GPtrArray *argv_array,
#endif
#ifdef HAVE_BWRAP
+static gboolean
+path_is_usrmerged (const char *dir)
+{
+ /* does /dir point to /usr/dir? */
+ g_autofree char *target = NULL;
+ GStatBuf stat_buf_src, stat_buf_target;
+
+ if (g_stat (dir, &stat_buf_src) < 0)
+ return FALSE;
+
+ target = g_strdup_printf ("/usr/%s", dir);
+
+ if (g_stat (target, &stat_buf_target) < 0)
+ return FALSE;
+
+ return (stat_buf_src.st_dev == stat_buf_target.st_dev) &&
+ (stat_buf_src.st_ino == stat_buf_target.st_ino);
+}
+
static gboolean
add_bwrap (GPtrArray *array,
ScriptExec *script)
{
+ const char * const usrmerged_dirs[] = { "bin", "lib64", "lib", "sbin" };
+ int i;
+
g_return_val_if_fail (script->outdir != NULL, FALSE);
g_return_val_if_fail (script->s_infile != NULL, FALSE);
add_args (array,
"bwrap",
"--ro-bind", "/usr", "/usr",
- "--ro-bind", "/lib", "/lib",
- "--ro-bind", "/lib64", "/lib64",
+ "--ro-bind", "/etc/ld.so.cache", "/etc/ld.so.cache",
+ NULL);
+
+ /* These directories might be symlinks into /usr/... */
+ for (i = 0; i < G_N_ELEMENTS (usrmerged_dirs); i++)
+ {
+ g_autofree char *absolute_dir = g_strdup_printf ("/%s", usrmerged_dirs[i]);
+
+ if (!g_file_test (absolute_dir, G_FILE_TEST_EXISTS))
+ continue;
+
+ if (path_is_usrmerged (absolute_dir))
+ {
+ g_autofree char *symlink_target = g_strdup_printf ("/usr/%s", absolute_dir);
+
+ add_args (array,
+ "--symlink", symlink_target, absolute_dir,
+ NULL);
+ }
+ else
+ {
+ add_args (array,
+ "--ro-bind", absolute_dir, absolute_dir,
+ NULL);
+ }
+ }
+
+ /* fontconfig cache if necessary */
+ if (!g_str_has_prefix (FONTCONFIG_CACHE_PATH, "/usr/"))
+ add_args (array, "--ro-bind-try", FONTCONFIG_CACHE_PATH, FONTCONFIG_CACHE_PATH, NULL);
+
+ add_args (array,
"--proc", "/proc",
"--dev", "/dev",
- "--symlink", "usr/bin", "/bin",
- "--symlink", "usr/sbin", "/sbin",
"--chdir", "/",
"--setenv", "GIO_USE_VFS", "local",
"--unshare-all",
diff --git a/src/gnome-desktop/gnome-desktop-thumbnail.c b/src/gnome-desktop/gnome-desktop-thumbnail.c
index b31bad5..566fbeb 100644
--- a/src/gnome-desktop/gnome-desktop-thumbnail.c
+++ b/src/gnome-desktop/gnome-desktop-thumbnail.c
@@ -969,6 +969,8 @@ get_preview_thumbnail (const char *uri,
object = g_file_info_get_attribute_object (file_info,
G_FILE_ATTRIBUTE_PREVIEW_ICON);
+ if (object)
+ g_object_ref (object);
g_object_unref (file_info);
if (!object)
|