Bug#1033719: libmate-desktop-2-17: Use-after-free condition in blow_expensive_caches() in mate-bg.c
Package: libmate-desktop-2-17
Version: 1.26.0-1
Severity: important
Tags: upstream patch
X-Debbugs-Cc: arraybolt3@ubuntu.com
libmate-desktop has a use-after-free condition in which an item in a GList is
deleted and then dereferenced in a later loop iteration. This appears to have
been the result of a coding error upstream, and was later reverted. Debian
still has the buggy version of the code.
In Ubuntu, the buggy code caused the MATE application menu to vanish very soon
after clicking it. Desktop icons also vanished. I do not know if this is
happening to Debian or not, however since the buggy code is in Debian I
believe it's at least a risk even if it's not actively happening. This was
reported as https://launchpad.net/bugs/2013138
The following patch looks like it should be easily applicable to Debian, and
it solves the bug in Ubuntu:
diff --git a/libmate-desktop/mate-bg.c b/libmate-desktop/mate-bg.c
index 0f617fa..e535231 100644
--- a/libmate-desktop/mate-bg.c
+++ b/libmate-desktop/mate-bg.c
@@ -2002,19 +2002,18 @@ static gboolean
blow_expensive_caches (gpointer data)
{
MateBG *bg = data;
- GList *list;
+ GList *list, *next;
bg->blow_caches_id = 0;
- if (bg->file_cache) {
- for (list = bg->file_cache; list != NULL; list = list->next) {
- FileCacheEntry *ent = list->data;
+ for (list = bg->file_cache; list != NULL; list = next) {
+ FileCacheEntry *ent = list->data;
+ next = list->next;
- if (ent->type == PIXBUF) {
- file_cache_entry_delete (ent);
- bg->file_cache = g_list_delete_link (bg->file_cache,
- list);
- }
+ if (ent->type == PIXBUF) {
+ file_cache_entry_delete (ent);
+ bg->file_cache = g_list_delete_link (bg->file_cache,
+ list);
}
}
Patch source: https://git.mate-desktop.org/mate-desktop/commit/?id=7b379f54a5b09df007f7e84dabbbc5f8ce9381a9
(And yes, I do realize that is formatted horribly, but that's what upstream
MATE's website gave me. I think it trimmed off a bunch of preceeding
whitespace for some reason.)
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.19.0-32-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libmate-desktop-2-17 depends on:
ii iso-codes 4.9.0-1
ii libatk1.0-0 2.36.0-3build1
ii libc6 2.35-0ubuntu3.1
ii libcairo2 1.16.0-5ubuntu2
ii libdconf1 0.40.0-3
ii libgdk-pixbuf-2.0-0 2.42.8+dfsg-1ubuntu0.2
ii libglib2.0-0 2.72.4-0ubuntu1
ii libgtk-3-0 3.24.33-1ubuntu2
ii libpango-1.0-0 1.50.6+ds-2ubuntu1
ii libstartup-notification0 0.12-6build2
ii libx11-6 2:1.7.5-1
ii libxrandr2 2:1.5.2-1build1
libmate-desktop-2-17 recommends no packages.
libmate-desktop-2-17 suggests no packages.
Reply to: