* bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
@ 2017-05-03 13:49 rennes
2017-05-03 22:31 ` Leo Famulari
0 siblings, 1 reply; 6+ messages in thread
From: rennes @ 2017-05-03 13:49 UTC (permalink / raw)
To: 26758
[-- Attachment #1: Type: text/plain, Size: 68 bytes --]
Hello,
This patch fix the CVE-2017-8288.
Tested in Linux x86_64.
[-- Attachment #2: 0001-gnu-gnome-shell-Patch-CVE-2017-8288.patch --]
[-- Type: text/x-patch, Size: 4945 bytes --]
From fedc016e9f6cf9ad91861893074826f991a30893 Mon Sep 17 00:00:00 2001
From: rennes <rennes@openmailbox.org>
Date: Tue, 2 May 2017 22:46:56 -0500
Subject: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
* gnu/packages/gnome.scm (gnome-shell)[replacement]: New field.
(gnome-shell/fixed): New variable.
* gnu/packages/patches/gnome-shell-CVE-2017-8288.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 1 +
gnu/packages/gnome.scm | 15 +++++-
.../patches/gnome-shell-CVE-2017-8288.patch | 53 ++++++++++++++++++++++
3 files changed, 68 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/gnome-shell-CVE-2017-8288.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 201786889..54178b0ac 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -621,6 +621,7 @@ dist_patch_DATA = \
%D%/packages/patches/glog-gcc-5-demangling.patch \
%D%/packages/patches/gmp-arm-asm-nothumb.patch \
%D%/packages/patches/gmp-faulty-test.patch \
+ %D%/packages/patches/gnome-shell-CVE-2017-8288.patch \
%D%/packages/patches/gnome-tweak-tool-search-paths.patch \
%D%/packages/patches/gnucash-price-quotes-perl.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index be11442ed..dedb3d02e 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -12,7 +12,7 @@
;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
+;;; Copyright © 2016, 2017 Rene Saavedra <rennes@openmailbox.org>
;;; Copyright © 2016 Jochem Raat <jchmrt@riseup.net>
;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
@@ -4994,6 +4994,7 @@ properties, screen resolution, and other GNOME parameters.")
(define-public gnome-shell
(package
(name "gnome-shell")
+ (replacement gnome-shell/fixed)
(version "3.22.2")
(source (origin
(method url-fetch)
@@ -5073,6 +5074,18 @@ properties, screen resolution, and other GNOME parameters.")
like switching to windows and launching applications.")
(license license:gpl2+)))
+(define gnome-shell/fixed
+ (package
+ (inherit gnome-shell)
+ (replacement #f)
+ (source
+ (origin
+ (inherit (package-source gnome-shell))
+ (patches
+ (append
+ (origin-patches (package-source gnome-shell))
+ (search-patches "gnome-shell-CVE-2017-8288.patch")))))))
+
(define-public gtk-vnc
(package
(name "gtk-vnc")
diff --git a/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch
new file mode 100644
index 000000000..a6c325375
--- /dev/null
+++ b/gnu/packages/patches/gnome-shell-CVE-2017-8288.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8288:
+
+http://seclists.org/oss-sec/2017/q2/136
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gnome-shell/commit/?id=ff425d1db7082e2755d2a405af53861552acf2a1
+
+From ff425d1db7082e2755d2a405af53861552acf2a1 Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 25 Apr 2017 17:27:42 +0200
+Subject: extensionSystem: handle reloading broken extensions
+
+Some extensions out there may fail to reload. When that happens,
+we need to catch any exceptions so that we don't leave things in
+a broken state that could lead to leaving extensions enabled in
+the screen shield.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781728
+---
+ js/ui/extensionSystem.js | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
+index a4dc29e..fc352b8 100644
+--- a/js/ui/extensionSystem.js
++++ b/js/ui/extensionSystem.js
+@@ -282,12 +282,20 @@ function _onVersionValidationChanged() {
+ // temporarily disable them all
+ enabledExtensions = [];
+ for (let uuid in ExtensionUtils.extensions)
+- reloadExtension(ExtensionUtils.extensions[uuid]);
++ try {
++ reloadExtension(ExtensionUtils.extensions[uuid]);
++ } catch(e) {
++ logExtensionError(uuid, e);
++ }
+ enabledExtensions = getEnabledExtensions();
+
+ if (Main.sessionMode.allowExtensions) {
+ enabledExtensions.forEach(function(uuid) {
+- enableExtension(uuid);
++ try {
++ enableExtension(uuid);
++ } catch(e) {
++ logExtensionError(uuid, e);
++ }
+ });
+ }
+ }
+--
+cgit v0.12
+
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
2017-05-03 13:49 bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288 rennes
@ 2017-05-03 22:31 ` Leo Famulari
2017-05-04 13:12 ` rennes
0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2017-05-03 22:31 UTC (permalink / raw)
To: rennes; +Cc: 26758
[-- Attachment #1: Type: text/plain, Size: 728 bytes --]
On Wed, May 03, 2017 at 08:49:50AM -0500, rennes wrote:
> Hello,
>
> This patch fix the CVE-2017-8288.
> Tested in Linux x86_64.
> From fedc016e9f6cf9ad91861893074826f991a30893 Mon Sep 17 00:00:00 2001
> From: rennes <rennes@openmailbox.org>
> Date: Tue, 2 May 2017 22:46:56 -0500
> Subject: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
>
> * gnu/packages/gnome.scm (gnome-shell)[replacement]: New field.
> (gnome-shell/fixed): New variable.
> * gnu/packages/patches/gnome-shell-CVE-2017-8288.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add them.
Thanks! Do we need to graft it, or can we apply the patch directly to
gnome-shell? What would need to be rebuilt if we applied the patch
directly?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
2017-05-03 22:31 ` Leo Famulari
@ 2017-05-04 13:12 ` rennes
2017-05-04 14:06 ` Ludovic Courtès
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: rennes @ 2017-05-04 13:12 UTC (permalink / raw)
To: Leo Famulari; +Cc: 26758
Hello Leo,
> Thanks! Do we need to graft it, or can we apply the patch directly to
> gnome-shell? What would need to be rebuilt if we applied the patch
> directly?
>
I did both tests: the first apply the patch directly, lasted more than
twelve hours; the second to create the procedure gnome-shell/fixed and
it did not take more than 10 minutes.
I read about the subject,
https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
but I still do not understand the way to determine how much needs to be
rebuilt!
HTH
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
2017-05-04 13:12 ` rennes
@ 2017-05-04 14:06 ` Ludovic Courtès
2017-05-05 20:19 ` Leo Famulari
2017-05-05 20:19 ` Leo Famulari
2 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2017-05-04 14:06 UTC (permalink / raw)
To: rennes; +Cc: 26758
Hi rennes,
rennes <rennes@openmailbox.org> skribis:
> but I still do not understand the way to determine how much needs to be
> rebuilt!
Like this:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix refresh -l gnome-shell
A single dependent package: gnome@3.22.2
--8<---------------cut here---------------end--------------->8---
IOW, only ‘gnome’ depends on ‘gnome-shell’.
HTH,
Ludo’.
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
2017-05-04 13:12 ` rennes
2017-05-04 14:06 ` Ludovic Courtès
@ 2017-05-05 20:19 ` Leo Famulari
2017-05-05 20:19 ` Leo Famulari
2 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2017-05-05 20:19 UTC (permalink / raw)
To: rennes; +Cc: 26758
[-- Attachment #1: Type: text/plain, Size: 1199 bytes --]
On Thu, May 04, 2017 at 08:12:01AM -0500, rennes wrote:
> Hello Leo,
>
> > Thanks! Do we need to graft it, or can we apply the patch directly to
> > gnome-shell? What would need to be rebuilt if we applied the patch
> > directly?
I applied it directly as cc3bc027ebbc924cc60fdcd8e7c8572bd0adf90c. If
that was a mistake, we can graft it in a followup commit.
> I did both tests: the first apply the patch directly, lasted more than
> twelve hours; the second to create the procedure gnome-shell/fixed and it
> did not take more than 10 minutes.
I guess that the first time, you built the fixed gnome-shell. That took
a long time (!!!) for some reason; maybe you had to build its entire
dependency graph from source, or maybe the machine was not powerful.
The next time, when you tried the graft, everything was already built,
so you saw a big speed-up.
> I read about the subject,
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
>
> but I still do not understand the way to determine how much needs to be
> rebuilt!
As Ludo points out, you can use `guix refresh -l` for this. It's not
100% accurate, but it's pretty good in most cases.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288.
2017-05-04 13:12 ` rennes
2017-05-04 14:06 ` Ludovic Courtès
2017-05-05 20:19 ` Leo Famulari
@ 2017-05-05 20:19 ` Leo Famulari
2 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2017-05-05 20:19 UTC (permalink / raw)
To: 26758-done
[-- Attachment #1: Type: text/plain, Size: 657 bytes --]
On Thu, May 04, 2017 at 08:12:01AM -0500, rennes wrote:
> Hello Leo,
>
> > Thanks! Do we need to graft it, or can we apply the patch directly to
> > gnome-shell? What would need to be rebuilt if we applied the patch
> > directly?
> >
> I did both tests: the first apply the patch directly, lasted more than
> twelve hours; the second to create the procedure gnome-shell/fixed and it
> did not take more than 10 minutes.
>
> I read about the subject,
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
>
> but I still do not understand the way to determine how much needs to be
> rebuilt!
>
> HTH
Closing...
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-05-05 20:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-03 13:49 bug#26758: [PATCH] gnu: gnome-shell: Patch CVE-2017-8288 rennes
2017-05-03 22:31 ` Leo Famulari
2017-05-04 13:12 ` rennes
2017-05-04 14:06 ` Ludovic Courtès
2017-05-05 20:19 ` Leo Famulari
2017-05-05 20:19 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.