From fedc016e9f6cf9ad91861893074826f991a30893 Mon Sep 17 00:00:00 2001 From: rennes Date: Tue, 2 May 2017 22:46:56 -0500 Subject: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288. * gnu/packages/gnome.scm (gnome-shell)[replacement]: New field. (gnome-shell/fixed): New variable. * gnu/packages/patches/gnome-shell-CVE-2017-8288.patch: New file. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 1 + gnu/packages/gnome.scm | 15 +++++- .../patches/gnome-shell-CVE-2017-8288.patch | 53 ++++++++++++++++++++++ 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gnome-shell-CVE-2017-8288.patch diff --git a/gnu/local.mk b/gnu/local.mk index 201786889..54178b0ac 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -621,6 +621,7 @@ dist_patch_DATA = \ %D%/packages/patches/glog-gcc-5-demangling.patch \ %D%/packages/patches/gmp-arm-asm-nothumb.patch \ %D%/packages/patches/gmp-faulty-test.patch \ + %D%/packages/patches/gnome-shell-CVE-2017-8288.patch \ %D%/packages/patches/gnome-tweak-tool-search-paths.patch \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index be11442ed..dedb3d02e 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -12,7 +12,7 @@ ;;; Copyright © 2015, 2016, 2017 Mark H Weaver ;;; Copyright © 2015 David Thompson ;;; Copyright © 2015, 2016 Efraim Flashner -;;; Copyright © 2016 Rene Saavedra +;;; Copyright © 2016, 2017 Rene Saavedra ;;; Copyright © 2016 Jochem Raat ;;; Copyright © 2016 Kei Kebreau ;;; Copyright © 2016 Jan Nieuwenhuizen @@ -4994,6 +4994,7 @@ properties, screen resolution, and other GNOME parameters.") (define-public gnome-shell (package (name "gnome-shell") + (replacement gnome-shell/fixed) (version "3.22.2") (source (origin (method url-fetch) @@ -5073,6 +5074,18 @@ properties, screen resolution, and other GNOME parameters.") like switching to windows and launching applications.") (license license:gpl2+))) +(define gnome-shell/fixed + (package + (inherit gnome-shell) + (replacement #f) + (source + (origin + (inherit (package-source gnome-shell)) + (patches + (append + (origin-patches (package-source gnome-shell)) + (search-patches "gnome-shell-CVE-2017-8288.patch"))))))) + (define-public gtk-vnc (package (name "gtk-vnc") diff --git a/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch new file mode 100644 index 000000000..a6c325375 --- /dev/null +++ b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch @@ -0,0 +1,53 @@ +Fix CVE-2017-8288: + +http://seclists.org/oss-sec/2017/q2/136 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/gnome-shell/commit/?id=ff425d1db7082e2755d2a405af53861552acf2a1 + +From ff425d1db7082e2755d2a405af53861552acf2a1 Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort +Date: Tue, 25 Apr 2017 17:27:42 +0200 +Subject: extensionSystem: handle reloading broken extensions + +Some extensions out there may fail to reload. When that happens, +we need to catch any exceptions so that we don't leave things in +a broken state that could lead to leaving extensions enabled in +the screen shield. + +https://bugzilla.gnome.org/show_bug.cgi?id=781728 +--- + js/ui/extensionSystem.js | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js +index a4dc29e..fc352b8 100644 +--- a/js/ui/extensionSystem.js ++++ b/js/ui/extensionSystem.js +@@ -282,12 +282,20 @@ function _onVersionValidationChanged() { + // temporarily disable them all + enabledExtensions = []; + for (let uuid in ExtensionUtils.extensions) +- reloadExtension(ExtensionUtils.extensions[uuid]); ++ try { ++ reloadExtension(ExtensionUtils.extensions[uuid]); ++ } catch(e) { ++ logExtensionError(uuid, e); ++ } + enabledExtensions = getEnabledExtensions(); + + if (Main.sessionMode.allowExtensions) { + enabledExtensions.forEach(function(uuid) { +- enableExtension(uuid); ++ try { ++ enableExtension(uuid); ++ } catch(e) { ++ logExtensionError(uuid, e); ++ } + }); + } + } +-- +cgit v0.12 + -- 2.12.0