Accepting request 57267 from home:vuntz:branches:GNOME:Factory

OBS-URL: https://build.opensuse.org/request/show/57267 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gnome-shell?expand=0&rev=41
2011-01-07 22:40:22 +00:00 · 2011-01-07 22:40:22 +00:00 · c508fbef38
commit c508fbef38
parent ef5955d104
3 changed files with 44 additions and 0 deletions
--- a/gnome-shell-CVE-2010-4000.patch
+++ b/gnome-shell-CVE-2010-4000.patch
@ -0,0 +1,35 @@
+commit 7beb7e0f65c6f66daebd307c492381249ddd41be
+Author: Vincent Untz <vuntz@gnome.org>
+Date:   Wed Jan 5 10:32:44 2011 +0100
+
+    gnome-shell.in: Really never add empty elements to LD_LIBRARY_PATH
+    
+    This complements the fix from c6eb2761, to make sure that we don't use
+    the pre-existing $LD_LIBRARY_PATH if it's set but empty.
+    
+    Both commits fix CVE-2010-4000.
+    
+    https://bugzilla.gnome.org/show_bug.cgi?id=638728
+
+diff --git a/src/gnome-shell.in b/src/gnome-shell.in
+index 2abd7d5..e422adb 100755
+--- a/src/gnome-shell.in
+++ b/src/gnome-shell.in
+@@ -152,7 +152,7 @@ def start_dconf_await_service():
+     # dconf is linked without libtool, so unlike other GNOME modules,
+     # won't have an embedded rpath for its library directory.
+     env = dict(os.environ)
+-    if 'LD_LIBRARY_PATH' in env:
+    if 'LD_LIBRARY_PATH' in env and env['LD_LIBRARY_PATH']:
+         ld_library_path = '@libdir@:' + env['LD_LIBRARY_PATH']
+     else:
+         ld_library_path = '@libdir@'
+@@ -246,7 +246,7 @@ def start_shell(perf_output=None):
+     if pkgconfig.returncode == 0:
+         mozjs_libdir = re.sub('-(sdk|devel)', '', mozjs_sdkdir)
+         if os.path.exists(mozjs_libdir + '/libmozjs.so'):
+-            if 'LD_LIBRARY_PATH' in env:
+            if 'LD_LIBRARY_PATH' in env and env['LD_LIBRARY_PATH']:
+                 ld_library_path = env['LD_LIBRARY_PATH'] + ':' + mozjs_libdir
+             else:
+                 ld_library_path = mozjs_libdir
--- a/gnome-shell.changes
+++ b/gnome-shell.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jan  5 11:01:48 CET 2011 - vuntz@opensuse.org
+
+- Add gnome-shell-CVE-2010-4000.patch to really safely set
+  LD_LIBRARY_PATH. Fix bnc#642827 and CVE-2010-4000.
+
 -------------------------------------------------------------------
 Wed Dec 15 13:16:11 CET 2010 - vuntz@opensuse.org

--- a/gnome-shell.spec
+++ b/gnome-shell.spec
@ -32,6 +32,8 @@ Source2:        gnome3.desktop
 Patch0:         gnome-shell-fix-include.patch
 # PATCH-FIX-UPSTREAM gnome-shell-gtk3-2.91.6.patch vuntz@opensuse.org -- Fix build with recent gtk3, taken from git
 Patch1:         gnome-shell-gtk3-2.91.6.patch
+# PATCH-FIX-UPSTREAM gnome-shell-CVE-2010-4000.patch bnc#642827 bgo#638728 CVE-2010-4000 vuntz@opensuse.org -- Really safely set LD_LIBRARY_PATH
+Patch2:         gnome-shell-CVE-2010-4000.patch
 BuildRequires:  intltool
 BuildRequires:  update-desktop-files
 BuildRequires:  pkgconfig(clutter-1.0)
@ -69,6 +71,7 @@ documents, and organizing open windows in GNOME.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 %build
 %configure \