Bug#1033719: libmate-desktop-2-17: Use-after-free condition in blow_expensive_caches() in mate-bg.c

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1033719: libmate-desktop-2-17: Use-after-free condition in blow_expensive_caches() in mate-bg.c
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Thu, 30 Mar 2023 17:32:44 -0500
Message-id: <[🔎] 168021556443.177557.3379982168246476563.reportbug@kf-XE>
Reply-to: Aaron Rainbolt <arraybolt3@ubuntu.com>, 1033719@bugs.debian.org

Package: libmate-desktop-2-17
Version: 1.26.0-1
Severity: important
Tags: upstream patch
X-Debbugs-Cc: arraybolt3@ubuntu.com

libmate-desktop has a use-after-free condition in which an item in a GList is
deleted and then dereferenced in a later loop iteration. This appears to have
been the result of a coding error upstream, and was later reverted. Debian
still has the buggy version of the code.

In Ubuntu, the buggy code caused the MATE application menu to vanish very soon
after clicking it. Desktop icons also vanished. I do not know if this is
happening to Debian or not, however since the buggy code is in Debian I
believe it's at least a risk even if it's not actively happening. This was
reported as https://launchpad.net/bugs/2013138

The following patch looks like it should be easily applicable to Debian, and
it solves the bug in Ubuntu:

diff --git a/libmate-desktop/mate-bg.c b/libmate-desktop/mate-bg.c
index 0f617fa..e535231 100644
--- a/libmate-desktop/mate-bg.c
+++ b/libmate-desktop/mate-bg.c
@@ -2002,19 +2002,18 @@ static gboolean
 blow_expensive_caches (gpointer data)
 {
 MateBG *bg = data;
-	GList *list;
+	GList *list, *next;

 bg->blow_caches_id = 0;

-	if (bg->file_cache) {
- for (list = bg->file_cache; list != NULL; list = list->next) {
- FileCacheEntry *ent = list->data;
+	for (list = bg->file_cache; list != NULL; list = next) {
+ FileCacheEntry *ent = list->data;
+ next = list->next;

- if (ent->type == PIXBUF) {
- file_cache_entry_delete (ent);
- bg->file_cache = g_list_delete_link (bg->file_cache,
- list);
- }
+ if (ent->type == PIXBUF) {
+ file_cache_entry_delete (ent);
+ bg->file_cache = g_list_delete_link (bg->file_cache,
+ list);
 }
 }



Patch source: https://git.mate-desktop.org/mate-desktop/commit/?id=7b379f54a5b09df007f7e84dabbbc5f8ce9381a9

(And yes, I do realize that is formatted horribly, but that's what upstream
MATE's website gave me. I think it trimmed off a bunch of preceeding
whitespace for some reason.)

-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-32-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libmate-desktop-2-17 depends on:
ii  iso-codes                 4.9.0-1
ii  libatk1.0-0               2.36.0-3build1
ii  libc6                     2.35-0ubuntu3.1
ii  libcairo2                 1.16.0-5ubuntu2
ii  libdconf1                 0.40.0-3
ii  libgdk-pixbuf-2.0-0       2.42.8+dfsg-1ubuntu0.2
ii  libglib2.0-0              2.72.4-0ubuntu1
ii  libgtk-3-0                3.24.33-1ubuntu2
ii  libpango-1.0-0            1.50.6+ds-2ubuntu1
ii  libstartup-notification0  0.12-6build2
ii  libx11-6                  2:1.7.5-1
ii  libxrandr2                2:1.5.2-1build1

libmate-desktop-2-17 recommends no packages.

libmate-desktop-2-17 suggests no packages.

Reply to:

Prev by Date: Re: udisks2 breaks MTP support
Previous by thread: Re: udisks2 breaks MTP support
Index(es):
- Date
- Thread