From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57949)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d5ugM-0000el-7k
	for guix-patches@gnu.org; Wed, 03 May 2017 09:51:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d5ugI-0007NB-A8
	for guix-patches@gnu.org; Wed, 03 May 2017 09:51:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:53907)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1d5ugI-0007N6-7P
	for guix-patches@gnu.org; Wed, 03 May 2017 09:51:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d5ugI-0007fZ-0l
	for guix-patches@gnu.org; Wed, 03 May 2017 09:51:02 -0400
Subject: bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
Resent-Message-ID: <handler.26758.B.149381942329436@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57741)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rennes@openmailbox.org>) id 1d5ufM-000070-IP
	for guix-patches@gnu.org; Wed, 03 May 2017 09:50:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rennes@openmailbox.org>) id 1d5ufI-0006by-DB
	for guix-patches@gnu.org; Wed, 03 May 2017 09:50:04 -0400
Received: from lb1.openmailbox.org ([5.79.108.160]:44461
	helo=mail.openmailbox.org)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <rennes@openmailbox.org>)
	id 1d5ufF-0006XA-7K
	for guix-patches@gnu.org; Wed, 03 May 2017 09:50:00 -0400
Date: Wed, 03 May 2017 08:49:50 -0500
From: rennes <rennes@openmailbox.org>
Message-Id: <2mJLT7Z/wQdanXzCpACTLW@bec4dusrlz0aOI14CUJvM>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-xB3yGhTAvK16v1nzFfjP"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 26758@debbugs.gnu.org

--=-xB3yGhTAvK16v1nzFfjP
Content-Type: text/plain; charset=us-ascii; DelSp=Yes; Format=Flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,

This patch fix the CVE-2017-8288.
Tested in Linux x86_64.=

--=-xB3yGhTAvK16v1nzFfjP
Content-Type: text/x-patch; charset=UTF-8;
	name=0001-gnu-gnome-shell-Patch-CVE-2017-8288.patch
Content-Disposition: attachment;
	filename=0001-gnu-gnome-shell-Patch-CVE-2017-8288.patch
Content-Transfer-Encoding: quoted-printable

=46rom fedc016e9f6cf9ad91861893074826f991a30893 Mon Sep 17 00:00:00 2001
From: rennes <rennes@openmailbox.org>
Date: Tue, 2 May 2017 22:46:56 -0500
Subject: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.

* gnu/packages/gnome.scm (gnome-shell)[replacement]: New field.
(gnome-shell/fixed): New variable.
* gnu/packages/patches/gnome-shell-CVE-2017-8288.patch:	New file.
* gnu/local.mk (dist_patch_DATA): Add them.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/gnome.scm                             | 15 +++++-
 .../patches/gnome-shell-CVE-2017-8288.patch        | 53 ++++++++++++++++++=
++++
 3 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/gnome-shell-CVE-2017-8288.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 201786889..54178b0ac 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -621,6 +621,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/glog-gcc-5-demangling.patch		\
   %D%/packages/patches/gmp-arm-asm-nothumb.patch		\
   %D%/packages/patches/gmp-faulty-test.patch			\
+  %D%/packages/patches/gnome-shell-CVE-2017-8288.patch		\
   %D%/packages/patches/gnome-tweak-tool-search-paths.patch	\
   %D%/packages/patches/gnucash-price-quotes-perl.patch		\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index be11442ed..dedb3d02e 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -12,7 +12,7 @@
 ;;; Copyright =C2=A9 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright =C2=A9 2015 David Thompson <davet@gnu.org>
 ;;; Copyright =C2=A9 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright =C2=A9 2016 Rene Saavedra <rennes@openmailbox.org>
+;;; Copyright =C2=A9 2016, 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright =C2=A9 2016 Jochem Raat <jchmrt@riseup.net>
 ;;; Copyright =C2=A9 2016 Kei Kebreau <kei@openmailbox.org>
 ;;; Copyright =C2=A9 2016 Jan Nieuwenhuizen <janneke@gnu.org>
@@ -4994,6 +4994,7 @@ properties, screen resolution, and other GNOME parame=
ters.")
 (define-public gnome-shell
   (package
     (name "gnome-shell")
+    (replacement gnome-shell/fixed)
     (version "3.22.2")
     (source (origin
               (method url-fetch)
@@ -5073,6 +5074,18 @@ properties, screen resolution, and other GNOME param=
eters.")
 like switching to windows and launching applications.")
     (license license:gpl2+)))
=20
+(define gnome-shell/fixed
+  (package
+    (inherit gnome-shell)
+    (replacement #f)
+    (source
+     (origin
+       (inherit (package-source gnome-shell))
+       (patches
+        (append
+         (origin-patches (package-source gnome-shell))
+         (search-patches "gnome-shell-CVE-2017-8288.patch")))))))
+
 (define-public gtk-vnc
   (package
     (name "gtk-vnc")
diff --git a/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch b/gnu/pac=
kages/patches/gnome-shell-CVE-2017-8288.patch
new file mode 100644
index 000000000..a6c325375
--- /dev/null
+++ b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8288:
+
+http://seclists.org/oss-sec/2017/q2/136
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gnome-shell/commit/?id=3Dff425d1db7082e2755d2=
a405af53861552acf2a1
+
+From ff425d1db7082e2755d2a405af53861552acf2a1 Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 25 Apr 2017 17:27:42 +0200
+Subject: extensionSystem: handle reloading broken extensions
+
+Some extensions out there may fail to reload. When that happens,
+we need to catch any exceptions so that we don't leave things in
+a broken state that could lead to leaving extensions enabled in
+the screen shield.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781728
+---
+ js/ui/extensionSystem.js | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
+index a4dc29e..fc352b8 100644
+--- a/js/ui/extensionSystem.js
++++ b/js/ui/extensionSystem.js
+@@ -282,12 +282,20 @@ function _onVersionValidationChanged() {
+     // temporarily disable them all
+     enabledExtensions =3D [];
+     for (let uuid in ExtensionUtils.extensions)
+-        reloadExtension(ExtensionUtils.extensions[uuid]);
++        try {
++            reloadExtension(ExtensionUtils.extensions[uuid]);
++        } catch(e) {
++            logExtensionError(uuid, e);
++        }
+     enabledExtensions =3D getEnabledExtensions();
+=20
+     if (Main.sessionMode.allowExtensions) {
+         enabledExtensions.forEach(function(uuid) {
+-            enableExtension(uuid);
++            try {
++                enableExtension(uuid);
++            } catch(e) {
++                logExtensionError(uuid, e);
++            }
+         });
+     }
+ }
+--=20
+cgit v0.12
+
--=20
2.12.0

=

--=-xB3yGhTAvK16v1nzFfjP--