bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

[rennes]

[-- Attachment #1: Type: text/plain, Size: 68 bytes --]

Hello,

This patch fix the CVE-2017-8288.
Tested in Linux x86_64.

[-- Attachment #2: 0001-gnu-gnome-shell-Patch-CVE-2017-8288.patch --]
[-- Type: text/x-patch, Size: 4945 bytes --]

From fedc016e9f6cf9ad91861893074826f991a30893 Mon Sep 17 00:00:00 2001
From: rennes <rennes@openmailbox.org>
Date: Tue, 2 May 2017 22:46:56 -0500
Subject: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

* gnu/packages/gnome.scm (gnome-shell)[replacement]: New field.
(gnome-shell/fixed): New variable.
* gnu/packages/patches/gnome-shell-CVE-2017-8288.patch:	New file.
* gnu/local.mk (dist_patch_DATA): Add them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/gnome.scm                             | 15 +++++-
 .../patches/gnome-shell-CVE-2017-8288.patch        | 53 ++++++++++++++++++++++
 3 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/gnome-shell-CVE-2017-8288.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 201786889..54178b0ac 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -621,6 +621,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/glog-gcc-5-demangling.patch		\
   %D%/packages/patches/gmp-arm-asm-nothumb.patch		\
   %D%/packages/patches/gmp-faulty-test.patch			\
+  %D%/packages/patches/gnome-shell-CVE-2017-8288.patch		\
   %D%/packages/patches/gnome-tweak-tool-search-paths.patch	\
   %D%/packages/patches/gnucash-price-quotes-perl.patch		\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index be11442ed..dedb3d02e 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -12,7 +12,7 @@
 ;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
+;;; Copyright © 2016, 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2016 Jochem Raat <jchmrt@riseup.net>
 ;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
@@ -4994,6 +4994,7 @@ properties, screen resolution, and other GNOME parameters.")
 (define-public gnome-shell
   (package
     (name "gnome-shell")
+    (replacement gnome-shell/fixed)
     (version "3.22.2")
     (source (origin
               (method url-fetch)
@@ -5073,6 +5074,18 @@ properties, screen resolution, and other GNOME parameters.")
 like switching to windows and launching applications.")
     (license license:gpl2+)))
 
+(define gnome-shell/fixed
+  (package
+    (inherit gnome-shell)
+    (replacement #f)
+    (source
+     (origin
+       (inherit (package-source gnome-shell))
+       (patches
+        (append
+         (origin-patches (package-source gnome-shell))
+         (search-patches "gnome-shell-CVE-2017-8288.patch")))))))
+
 (define-public gtk-vnc
   (package
     (name "gtk-vnc")
diff --git a/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch
new file mode 100644
index 000000000..a6c325375
--- /dev/null
+++ b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8288:
+
+http://seclists.org/oss-sec/2017/q2/136
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gnome-shell/commit/?id=ff425d1db7082e2755d2a405af53861552acf2a1
+
+From ff425d1db7082e2755d2a405af53861552acf2a1 Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 25 Apr 2017 17:27:42 +0200
+Subject: extensionSystem: handle reloading broken extensions
+
+Some extensions out there may fail to reload. When that happens,
+we need to catch any exceptions so that we don't leave things in
+a broken state that could lead to leaving extensions enabled in
+the screen shield.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781728
+---
+ js/ui/extensionSystem.js | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
+index a4dc29e..fc352b8 100644
+--- a/js/ui/extensionSystem.js
++++ b/js/ui/extensionSystem.js
+@@ -282,12 +282,20 @@ function _onVersionValidationChanged() {
+     // temporarily disable them all
+     enabledExtensions = [];
+     for (let uuid in ExtensionUtils.extensions)
+-        reloadExtension(ExtensionUtils.extensions[uuid]);
++        try {
++            reloadExtension(ExtensionUtils.extensions[uuid]);
++        } catch(e) {
++            logExtensionError(uuid, e);
++        }
+     enabledExtensions = getEnabledExtensions();
+ 
+     if (Main.sessionMode.allowExtensions) {
+         enabledExtensions.forEach(function(uuid) {
+-            enableExtension(uuid);
++            try {
++                enableExtension(uuid);
++            } catch(e) {
++                logExtensionError(uuid, e);
++            }
+         });
+     }
+ }
+-- 
+cgit v0.12
+
-- 
2.12.0

bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

On Wed, May 03, 2017 at 08:49:50AM -0500, rennes wrote:
> Hello,
> 
> This patch fix the CVE-2017-8288.
> Tested in Linux x86_64.

> From fedc016e9f6cf9ad91861893074826f991a30893 Mon Sep 17 00:00:00 2001
> From: rennes <rennes@openmailbox.org>
> Date: Tue, 2 May 2017 22:46:56 -0500
> Subject: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
> 
> * gnu/packages/gnome.scm (gnome-shell)[replacement]: New field.
> (gnome-shell/fixed): New variable.
> * gnu/packages/patches/gnome-shell-CVE-2017-8288.patch:	New file.
> * gnu/local.mk (dist_patch_DATA): Add them.

Thanks! Do we need to graft it, or can we apply the patch directly to
gnome-shell? What would need to be rebuilt if we applied the patch
directly?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

[rennes]

Hello Leo,

> Thanks! Do we need to graft it, or can we apply the patch directly to
> gnome-shell? What would need to be rebuilt if we applied the patch
> directly?
> 
I did both tests: the first apply the patch directly, lasted more than  
twelve hours; the second to create the procedure gnome-shell/fixed and  
it did not take more than 10 minutes.

I read about the subject,
https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

but I still do not understand the way to determine how much needs to be  
rebuilt!

HTH

bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

[Ludovic Courtès]

Hi rennes,

rennes <rennes@openmailbox.org> skribis:

> but I still do not understand the way to determine how much needs to be  
> rebuilt!

Like this:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix refresh -l gnome-shell
A single dependent package: gnome@3.22.2
--8<---------------cut here---------------end--------------->8---

IOW, only ‘gnome’ depends on ‘gnome-shell’.

HTH,
Ludo’.

bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1199 bytes --]

On Thu, May 04, 2017 at 08:12:01AM -0500, rennes wrote:
> Hello Leo,
> 
> > Thanks! Do we need to graft it, or can we apply the patch directly to
> > gnome-shell? What would need to be rebuilt if we applied the patch
> > directly?

I applied it directly as cc3bc027ebbc924cc60fdcd8e7c8572bd0adf90c. If
that was a mistake, we can graft it in a followup commit.

> I did both tests: the first apply the patch directly, lasted more than
> twelve hours; the second to create the procedure gnome-shell/fixed and it
> did not take more than 10 minutes.

I guess that the first time, you built the fixed gnome-shell. That took
a long time (!!!) for some reason; maybe you had to build its entire
dependency graph from source, or maybe the machine was not powerful.

The next time, when you tried the graft, everything was already built,
so you saw a big speed-up.

> I read about the subject,
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
> 
> but I still do not understand the way to determine how much needs to be
> rebuilt!

As Ludo points out, you can use `guix refresh -l` for this. It's not
100% accurate, but it's pretty good in most cases.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 657 bytes --]

On Thu, May 04, 2017 at 08:12:01AM -0500, rennes wrote:
> Hello Leo,
> 
> > Thanks! Do we need to graft it, or can we apply the patch directly to
> > gnome-shell? What would need to be rebuilt if we applied the patch
> > directly?
> > 
> I did both tests: the first apply the patch directly, lasted more than
> twelve hours; the second to create the procedure gnome-shell/fixed and it
> did not take more than 10 minutes.
> 
> I read about the subject,
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
> 
> but I still do not understand the way to determine how much needs to be
> rebuilt!
> 
> HTH

Closing...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]