diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2023-09-14 02:38:14 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2023-09-14 05:06:53 +0200 |
commit | 8daddd6079dea98d321586cf3e4b1e772a384bed (patch) | |
tree | d617cd5c18d17579f21b9a61e0006fd0d9a2c6c7 /source/l/glib2 | |
parent | d3d716b8ff72205dcbce1cffa2cd2b8e49262e5c (diff) | |
download | current-8daddd6079dea98d321586cf3e4b1e772a384bed.tar.gz current-8daddd6079dea98d321586cf3e4b1e772a384bed.tar.xz |
Thu Sep 14 02:38:14 UTC 202320230914023814
a/kernel-firmware-20230907_dfa1146-noarch-1.txz: Upgraded.
a/kernel-generic-6.1.53-x86_64-1.txz: Upgraded.
a/kernel-huge-6.1.53-x86_64-1.txz: Upgraded.
a/kernel-modules-6.1.53-x86_64-1.txz: Upgraded.
ap/ghostscript-10.02.0-x86_64-1.txz: Upgraded.
ap/vim-9.0.1897-x86_64-2.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
d/cbindgen-0.26.0-x86_64-1.txz: Upgraded.
d/kernel-headers-6.1.53-x86-1.txz: Upgraded.
k/kernel-source-6.1.53-noarch-1.txz: Upgraded.
kde/keysmith-23.08.0-x86_64-2.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
l/glib2-2.78.0-x86_64-2.txz: Rebuilt.
[PATCH] gthreadedresolver: Fix race between source callbacks and finalize.
Thanks to marav.
l/libarchive-3.7.2-x86_64-1.txz: Upgraded.
This update fixes multiple security vulnerabilities in the PAX writer:
Heap overflow in url_encode() in archive_write_set_format_pax.c.
NULL dereference in archive_write_pax_header_xattrs().
Another NULL dereference in archive_write_pax_header_xattrs().
NULL dereference in archive_write_pax_header_xattr().
(* Security fix *)
l/librsvg-2.56.4-x86_64-1.txz: Upgraded.
l/libsodium-1.0.19-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
n/curl-8.3.0-x86_64-1.txz: Upgraded.
This update fixes a security issue:
HTTP headers eat all memory.
https://curl.se/docs/CVE-2023-38039.html
https://www.cve.org/CVERecord?id=CVE-2023-38039
(* Security fix *)
n/dovecot-2.3.20-x86_64-4.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
n/netatalk-3.1.16-x86_64-1.txz: Upgraded.
This update fixes bugs and security issues.
Shared library .so-version bump.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-23121
https://www.cve.org/CVERecord?id=CVE-2022-23123
(* Security fix *)
n/openldap-2.6.6-x86_64-2.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
n/php-8.2.10-x86_64-2.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
n/proftpd-1.3.8-x86_64-4.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
x/libglvnd-1.7.0-x86_64-1.txz: Upgraded.
xap/mozilla-thunderbird-115.2.2-x86_64-1.txz: Upgraded.
This release contains a security fix for a critical heap buffer overflow.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.2.2/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
https://www.cve.org/CVERecord?id=CVE-2023-4863
(* Security fix *)
xap/vim-gvim-9.0.1897-x86_64-2.txz: Rebuilt.
Recompiled against libsodium-1.0.19.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/l/glib2')
-rw-r--r-- | source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch | 132 | ||||
-rwxr-xr-x | source/l/glib2/glib2.SlackBuild | 4 |
2 files changed, 135 insertions, 1 deletions
diff --git a/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch b/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch new file mode 100644 index 000000000..911b78c88 --- /dev/null +++ b/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch @@ -0,0 +1,132 @@ +From 82c764ce2e42f0d1032627dabcbd742d5f2bd8fa Mon Sep 17 00:00:00 2001 +From: Philip Withnall <philip@tecnocode.co.uk> +Date: Mon, 11 Sep 2023 16:02:15 +0100 +Subject: [PATCH] gthreadedresolver: Fix race between source callbacks and + finalize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +I had thought that because `g_source_destroy()` was called for the two +sources (cancel and timeout) in the `GTask` finalize function for a +threaded resolver operation, that it would be fine to use a plain +pointer in the source callbacks to point to the `GTask`. + +That turns out to not be true: because the source callbacks are executed +in the GLib worker thread, and the `GTask` can be finalized in another +thread, it’s possible for a source callback (e.g. `cancelled_cb()`) to +be scheduled in the worker thread, then for the `GTask` to be finalized, +and then the source callback to continue execution and find itself +doing a use-after-free. + +Fix that by using a weak ref to the `GTask` in the source callbacks, +rather than a plain pointer. + +Signed-off-by: Philip Withnall <philip@tecnocode.co.uk> + +Fixes: #3105 +--- + gio/gthreadedresolver.c | 43 +++++++++++++++++++++++++++++++++++------ + 1 file changed, 37 insertions(+), 6 deletions(-) + +diff --git a/gio/gthreadedresolver.c b/gio/gthreadedresolver.c +index 2d94531bfd..c7a567549f 100644 +--- a/gio/gthreadedresolver.c ++++ b/gio/gthreadedresolver.c +@@ -1422,10 +1422,17 @@ lookup_records_finish (GResolver *resolver, + static gboolean + timeout_cb (gpointer user_data) + { +- GTask *task = G_TASK (user_data); +- LookupData *data = g_task_get_task_data (task); ++ GWeakRef *weak_task = user_data; ++ GTask *task = NULL; /* (owned) */ ++ LookupData *data; + gboolean should_return; + ++ task = g_weak_ref_get (weak_task); ++ if (task == NULL) ++ return G_SOURCE_REMOVE; ++ ++ data = g_task_get_task_data (task); ++ + g_mutex_lock (&data->lock); + + should_return = g_atomic_int_compare_and_exchange (&data->will_return, NOT_YET, TIMED_OUT); +@@ -1443,6 +1450,8 @@ timeout_cb (gpointer user_data) + g_cond_broadcast (&data->cond); + g_mutex_unlock (&data->lock); + ++ g_object_unref (task); ++ + return G_SOURCE_REMOVE; + } + +@@ -1452,10 +1461,17 @@ static gboolean + cancelled_cb (GCancellable *cancellable, + gpointer user_data) + { +- GTask *task = G_TASK (user_data); +- LookupData *data = g_task_get_task_data (task); ++ GWeakRef *weak_task = user_data; ++ GTask *task = NULL; /* (owned) */ ++ LookupData *data; + gboolean should_return; + ++ task = g_weak_ref_get (weak_task); ++ if (task == NULL) ++ return G_SOURCE_REMOVE; ++ ++ data = g_task_get_task_data (task); ++ + g_mutex_lock (&data->lock); + + g_assert (g_cancellable_is_cancelled (cancellable)); +@@ -1473,9 +1489,18 @@ cancelled_cb (GCancellable *cancellable, + g_cond_broadcast (&data->cond); + g_mutex_unlock (&data->lock); + ++ g_object_unref (task); ++ + return G_SOURCE_REMOVE; + } + ++static void ++weak_ref_clear_and_free (GWeakRef *weak_ref) ++{ ++ g_weak_ref_clear (weak_ref); ++ g_free (weak_ref); ++} ++ + static void + run_task_in_thread_pool_async (GThreadedResolver *self, + GTask *task) +@@ -1490,17 +1515,23 @@ run_task_in_thread_pool_async (GThreadedResolver *self, + + if (timeout_ms != 0) + { ++ GWeakRef *weak_task = g_new0 (GWeakRef, 1); ++ g_weak_ref_set (weak_task, task); ++ + data->timeout_source = g_timeout_source_new (timeout_ms); + g_source_set_static_name (data->timeout_source, "[gio] threaded resolver timeout"); +- g_source_set_callback (data->timeout_source, G_SOURCE_FUNC (timeout_cb), task, NULL); ++ g_source_set_callback (data->timeout_source, G_SOURCE_FUNC (timeout_cb), g_steal_pointer (&weak_task), (GDestroyNotify) weak_ref_clear_and_free); + g_source_attach (data->timeout_source, GLIB_PRIVATE_CALL (g_get_worker_context) ()); + } + + if (cancellable != NULL) + { ++ GWeakRef *weak_task = g_new0 (GWeakRef, 1); ++ g_weak_ref_set (weak_task, task); ++ + data->cancellable_source = g_cancellable_source_new (cancellable); + g_source_set_static_name (data->cancellable_source, "[gio] threaded resolver cancellable"); +- g_source_set_callback (data->cancellable_source, G_SOURCE_FUNC (cancelled_cb), task, NULL); ++ g_source_set_callback (data->cancellable_source, G_SOURCE_FUNC (cancelled_cb), g_steal_pointer (&weak_task), (GDestroyNotify) weak_ref_clear_and_free); + g_source_attach (data->cancellable_source, GLIB_PRIVATE_CALL (g_get_worker_context) ()); + } + +-- +GitLab + diff --git a/source/l/glib2/glib2.SlackBuild b/source/l/glib2/glib2.SlackBuild index 739578e0f..b8bcddad6 100755 --- a/source/l/glib2/glib2.SlackBuild +++ b/source/l/glib2/glib2.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=glib2 VERSION=${VERSION:-$(echo glib-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} @@ -70,6 +70,8 @@ rm -rf glib-$VERSION tar xvf $CWD/glib-$VERSION.tar.?z* || exit 1 cd glib-$VERSION || exit 1 +cat $CWD/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch | patch -p1 --verbose || exit 1 + chown -R root:root . find . \ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ |