[AUTO-CHERRYPICK] Patch for gtk2 and gtk3 CVE-2024-6655 - branch main (#9967)

Co-authored-by: joejoew <111843948+joejoew@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/gtk2/CVE-2024-6655.patch

@@ -0,0 +1,34 @@
+From 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: [PATCH] Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: #6786
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412aeb5..f93101c272e 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
+-- 
+GitLab

SPECS/gtk2/gtk2.spec

@@ -15,7 +15,7 @@
 Summary:        GTK+ graphical user interface library
 Name:           gtk2
 Version:        2.24.32
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,7 @@ Patch15:        window-dragging.patch
 # Backported from upstream:
 Patch20:        0001-calendar-Use-the-new-OB-format-if-supported.patch
 Patch21:        0001-Fix-compiler-warnings-with-GCC-8.1.patch
+Patch22:        CVE-2024-6655.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  cairo-devel
@@ -317,6 +318,9 @@ gtk-query-immodules-2.0-%{__isa_bits} --update-cache
 %doc tmpdocs/examples
 
 %changelog
+* Tue Jul 23 2024 Zhichun Wan <zhichunwan@microsoft.com> - 2.24.32-12
+- Patch CVE-2024-6655
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 2.24.32-11
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 

SPECS/gtk3/CVE-2024-6655.patch

@@ -0,0 +1,34 @@
+From 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: [PATCH] Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: #6786
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 704e412aeb5..f93101c272e 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -214,13 +214,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
+-- 
+GitLab

SPECS/gtk3/gtk3.spec

@@ -15,7 +15,7 @@
 Summary:        GTK+ graphical user interface library
 Name:           gtk3
 Version:        3.24.28
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -24,6 +24,7 @@ Source0:        https://download.gnome.org/sources/gtk+/3.24/gtk+-%{version}.tar
 # https://bugzilla.redhat.com/show_bug.cgi?id=1946133
 # https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/3387
 Patch0:         3387.patch
+Patch1:         CVE-2024-6655.patch
 BuildRequires:  cairo-devel >= %{cairo_version}
 BuildRequires:  cairo-gobject-devel >= %{cairo_version}
 BuildRequires:  cups-devel
@@ -289,6 +290,9 @@ gtk-query-immodules-3.0-%{__isa_bits} --update-cache &>/dev/null || :
 %{_datadir}/installed-tests/
 
 %changelog
+* Tue Jul 23 2024 Zhichun Wan <zhichunwan@microsoft.com> - 3.24.28-10
+- Patch CVE-2024-6655
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 3.24.28-9
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)