Thu Sep 14 02:38:14 UTC 202320230914023814

a/kernel-firmware-20230907_dfa1146-noarch-1.txz:  Upgraded.
a/kernel-generic-6.1.53-x86_64-1.txz:  Upgraded.
a/kernel-huge-6.1.53-x86_64-1.txz:  Upgraded.
a/kernel-modules-6.1.53-x86_64-1.txz:  Upgraded.
ap/ghostscript-10.02.0-x86_64-1.txz:  Upgraded.
ap/vim-9.0.1897-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
d/cbindgen-0.26.0-x86_64-1.txz:  Upgraded.
d/kernel-headers-6.1.53-x86-1.txz:  Upgraded.
k/kernel-source-6.1.53-noarch-1.txz:  Upgraded.
kde/keysmith-23.08.0-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
l/glib2-2.78.0-x86_64-2.txz:  Rebuilt.
  [PATCH] gthreadedresolver: Fix race between source callbacks and finalize.
  Thanks to marav.
l/libarchive-3.7.2-x86_64-1.txz:  Upgraded.
  This update fixes multiple security vulnerabilities in the PAX writer:
  Heap overflow in url_encode() in archive_write_set_format_pax.c.
  NULL dereference in archive_write_pax_header_xattrs().
  Another NULL dereference in archive_write_pax_header_xattrs().
  NULL dereference in archive_write_pax_header_xattr().
  (* Security fix *)
l/librsvg-2.56.4-x86_64-1.txz:  Upgraded.
l/libsodium-1.0.19-x86_64-1.txz:  Upgraded.
  Shared library .so-version bump.
n/curl-8.3.0-x86_64-1.txz:  Upgraded.
  This update fixes a security issue:
  HTTP headers eat all memory.
    https://curl.se/docs/CVE-2023-38039.html
    https://www.cve.org/CVERecord?id=CVE-2023-38039
  (* Security fix *)
n/dovecot-2.3.20-x86_64-4.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
n/netatalk-3.1.16-x86_64-1.txz:  Upgraded.
  This update fixes bugs and security issues.
  Shared library .so-version bump.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-23121
    https://www.cve.org/CVERecord?id=CVE-2022-23123
  (* Security fix *)
n/openldap-2.6.6-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
n/php-8.2.10-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
n/proftpd-1.3.8-x86_64-4.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
x/libglvnd-1.7.0-x86_64-1.txz:  Upgraded.
xap/mozilla-thunderbird-115.2.2-x86_64-1.txz:  Upgraded.
  This release contains a security fix for a critical heap buffer overflow.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.2.2/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
    https://www.cve.org/CVERecord?id=CVE-2023-4863
  (* Security fix *)
xap/vim-gvim-9.0.1897-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.

1 files changed, 132 insertions, 0 deletions

diff --git a/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch b/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch
new file mode 100644
index 000000000..911b78c88
--- /dev/null
+++ b/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch
@@ -0,0 +1,132 @@
+From 82c764ce2e42f0d1032627dabcbd742d5f2bd8fa Mon Sep 17 00:00:00 2001
+From: Philip Withnall <philip@tecnocode.co.uk>
+Date: Mon, 11 Sep 2023 16:02:15 +0100
+Subject: [PATCH] gthreadedresolver: Fix race between source callbacks and
+ finalize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+I had thought that because `g_source_destroy()` was called for the two
+sources (cancel and timeout) in the `GTask` finalize function for a
+threaded resolver operation, that it would be fine to use a plain
+pointer in the source callbacks to point to the `GTask`.
+
+That turns out to not be true: because the source callbacks are executed
+in the GLib worker thread, and the `GTask` can be finalized in another
+thread, it’s possible for a source callback (e.g. `cancelled_cb()`) to
+be scheduled in the worker thread, then for the `GTask` to be finalized,
+and then the source callback to continue execution and find itself
+doing a use-after-free.
+
+Fix that by using a weak ref to the `GTask` in the source callbacks,
+rather than a plain pointer.
+
+Signed-off-by: Philip Withnall <philip@tecnocode.co.uk>
+
+Fixes: #3105
+---
+ gio/gthreadedresolver.c | 43 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 37 insertions(+), 6 deletions(-)
+
+diff --git a/gio/gthreadedresolver.c b/gio/gthreadedresolver.c
+index 2d94531bfd..c7a567549f 100644
+--- a/gio/gthreadedresolver.c
++++ b/gio/gthreadedresolver.c
+@@ -1422,10 +1422,17 @@ lookup_records_finish (GResolver     *resolver,
+ static gboolean
+ timeout_cb (gpointer user_data)
+ {
+-  GTask *task = G_TASK (user_data);
+-  LookupData *data = g_task_get_task_data (task);
++  GWeakRef *weak_task = user_data;
++  GTask *task = NULL;  /* (owned) */
++  LookupData *data;
+   gboolean should_return;
+ 
++  task = g_weak_ref_get (weak_task);
++  if (task == NULL)
++    return G_SOURCE_REMOVE;
++
++  data = g_task_get_task_data (task);
++
+   g_mutex_lock (&data->lock);
+ 
+   should_return = g_atomic_int_compare_and_exchange (&data->will_return, NOT_YET, TIMED_OUT);
+@@ -1443,6 +1450,8 @@ timeout_cb (gpointer user_data)
+   g_cond_broadcast (&data->cond);
+   g_mutex_unlock (&data->lock);
+ 
++  g_object_unref (task);
++
+   return G_SOURCE_REMOVE;
+ }
+ 
+@@ -1452,10 +1461,17 @@ static gboolean
+ cancelled_cb (GCancellable *cancellable,
+               gpointer      user_data)
+ {
+-  GTask *task = G_TASK (user_data);
+-  LookupData *data = g_task_get_task_data (task);
++  GWeakRef *weak_task = user_data;
++  GTask *task = NULL;  /* (owned) */
++  LookupData *data;
+   gboolean should_return;
+ 
++  task = g_weak_ref_get (weak_task);
++  if (task == NULL)
++    return G_SOURCE_REMOVE;
++
++  data = g_task_get_task_data (task);
++
+   g_mutex_lock (&data->lock);
+ 
+   g_assert (g_cancellable_is_cancelled (cancellable));
+@@ -1473,9 +1489,18 @@ cancelled_cb (GCancellable *cancellable,
+   g_cond_broadcast (&data->cond);
+   g_mutex_unlock (&data->lock);
+ 
++  g_object_unref (task);
++
+   return G_SOURCE_REMOVE;
+ }
+ 
++static void
++weak_ref_clear_and_free (GWeakRef *weak_ref)
++{
++  g_weak_ref_clear (weak_ref);
++  g_free (weak_ref);
++}
++
+ static void
+ run_task_in_thread_pool_async (GThreadedResolver *self,
+                                GTask             *task)
+@@ -1490,17 +1515,23 @@ run_task_in_thread_pool_async (GThreadedResolver *self,
+ 
+   if (timeout_ms != 0)
+     {
++      GWeakRef *weak_task = g_new0 (GWeakRef, 1);
++      g_weak_ref_set (weak_task, task);
++
+       data->timeout_source = g_timeout_source_new (timeout_ms);
+       g_source_set_static_name (data->timeout_source, "[gio] threaded resolver timeout");
+-      g_source_set_callback (data->timeout_source, G_SOURCE_FUNC (timeout_cb), task, NULL);
++      g_source_set_callback (data->timeout_source, G_SOURCE_FUNC (timeout_cb), g_steal_pointer (&weak_task), (GDestroyNotify) weak_ref_clear_and_free);
+       g_source_attach (data->timeout_source, GLIB_PRIVATE_CALL (g_get_worker_context) ());
+     }
+ 
+   if (cancellable != NULL)
+     {
++      GWeakRef *weak_task = g_new0 (GWeakRef, 1);
++      g_weak_ref_set (weak_task, task);
++
+       data->cancellable_source = g_cancellable_source_new (cancellable);
+       g_source_set_static_name (data->cancellable_source, "[gio] threaded resolver cancellable");
+-      g_source_set_callback (data->cancellable_source, G_SOURCE_FUNC (cancelled_cb), task, NULL);
++      g_source_set_callback (data->cancellable_source, G_SOURCE_FUNC (cancelled_cb), g_steal_pointer (&weak_task), (GDestroyNotify) weak_ref_clear_and_free);
+       g_source_attach (data->cancellable_source, GLIB_PRIVATE_CALL (g_get_worker_context) ());
+     }
+ 
+-- 
+GitLab
+