From 569bdb144eb0d9a867a757f21d18f6321126525a Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 30 Mar 2021 16:06:58 +0800 Subject: [PATCH] fix CVE-2020-17489 --- CVE-2020-17489-pre1.patch | 265 ++++++++++++++++++++++++++++++++++++++ CVE-2020-17489-pre2.patch | 81 ++++++++++++ CVE-2020-17489.patch | 44 +++++++ gnome-shell.spec | 8 +- 4 files changed, 397 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-17489-pre1.patch create mode 100644 CVE-2020-17489-pre2.patch create mode 100644 CVE-2020-17489.patch diff --git a/CVE-2020-17489-pre1.patch b/CVE-2020-17489-pre1.patch new file mode 100644 index 0000000..1dc76b9 --- /dev/null +++ b/CVE-2020-17489-pre1.patch @@ -0,0 +1,265 @@ +From e2f0647091b2475f78c0a52c0acef5f1be4d52d9 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 30 Mar 2021 14:42:11 +0800 +Subject: [PATCH] cleanup: Use arrow functions for tweener callbacks + +While it is legal to use method syntax for the function properties +here, arrow notation is less unexpected and allows us to drop the +separate scope properties. + +https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/608 + +--- + js/gdm/authPrompt.js | 3 +-- + js/gdm/loginDialog.js | 16 ++++++---------- + js/ui/dnd.js | 5 ++--- + js/ui/messageList.js | 3 +-- + js/ui/panel.js | 8 +++----- + js/ui/popupMenu.js | 12 ++++-------- + js/ui/screenShield.js | 15 ++++++--------- + js/ui/workspaceSwitcherPopup.js | 3 +-- + js/ui/workspaceThumbnail.js | 5 ++--- + 9 files changed, 26 insertions(+), 44 deletions(-) + +diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js +index a0a4a21..a6a0374 100644 +--- a/js/gdm/authPrompt.js ++++ b/js/gdm/authPrompt.js +@@ -302,8 +302,7 @@ var AuthPrompt = new Lang.Class({ + time: DEFAULT_BUTTON_WELL_ANIMATION_TIME, + delay: DEFAULT_BUTTON_WELL_ANIMATION_DELAY, + transition: 'linear', +- onCompleteScope: this, +- onComplete() { ++ onComplete: () => { + if (wasSpinner) { + if (this._spinner) + this._spinner.stop(); +diff --git a/js/gdm/loginDialog.js b/js/gdm/loginDialog.js +index bf79677..0e0001f 100644 +--- a/js/gdm/loginDialog.js ++++ b/js/gdm/loginDialog.js +@@ -926,7 +926,7 @@ var LoginDialog = new Lang.Class({ + { opacity: 255, + time: _FADE_ANIMATION_TIME, + transition: 'easeOutQuad', +- onUpdate() { ++ onUpdate: () => { + let children = Main.layoutManager.uiGroup.get_children(); + + for (let i = 0; i < children.length; i++) { +@@ -934,12 +934,10 @@ var LoginDialog = new Lang.Class({ + children[i].opacity = this.actor.opacity; + } + }, +- onUpdateScope: this, +- onComplete() { ++ onComplete: () => { + if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING) + this._authPrompt.reset(); +- }, +- onCompleteScope: this }); ++ } }); + }, + + _gotGreeterSessionProxy(proxy) { +@@ -956,7 +954,7 @@ var LoginDialog = new Lang.Class({ + { opacity: 0, + time: _FADE_ANIMATION_TIME, + transition: 'easeOutQuad', +- onUpdate() { ++ onUpdate: () => { + let children = Main.layoutManager.uiGroup.get_children(); + + for (let i = 0; i < children.length; i++) { +@@ -964,11 +962,9 @@ var LoginDialog = new Lang.Class({ + children[i].opacity = this.actor.opacity; + } + }, +- onUpdateScope: this, +- onComplete() { ++ onComplete: () => { + this._greeter.call_start_session_when_ready_sync(serviceName, true, null); +- }, +- onCompleteScope: this }); ++ } }); + }, + + _onSessionOpened(client, serviceName) { +diff --git a/js/ui/dnd.js b/js/ui/dnd.js +index 8483e89..83778e0 100644 +--- a/js/ui/dnd.js ++++ b/js/ui/dnd.js +@@ -385,14 +385,13 @@ var _Draggable = new Lang.Class({ + scale_y: scale * origScale, + time: SCALE_ANIMATION_TIME, + transition: 'easeOutQuad', +- onUpdate() { ++ onUpdate: () => { + let currentScale = this._dragActor.scale_x / origScale; + this._dragOffsetX = currentScale * origDragOffsetX; + this._dragOffsetY = currentScale * origDragOffsetY; + this._dragActor.set_position(this._dragX + this._dragOffsetX, + this._dragY + this._dragOffsetY); +- }, +- onUpdateScope: this }); ++ } }); + } + } + }, +diff --git a/js/ui/messageList.js b/js/ui/messageList.js +index 547135a..91670ba 100644 +--- a/js/ui/messageList.js ++++ b/js/ui/messageList.js +@@ -483,8 +483,7 @@ var Message = new Lang.Class({ + { scale_y: 0, + time: MessageTray.ANIMATION_TIME, + transition: 'easeOutQuad', +- onCompleteScope: this, +- onComplete() { ++ onComplete: () => { + this._actionBin.hide(); + this.expanded = false; + }}); +diff --git a/js/ui/panel.js b/js/ui/panel.js +index 3726b84..318ca52 100644 +--- a/js/ui/panel.js ++++ b/js/ui/panel.js +@@ -174,10 +174,9 @@ var AppMenuButton = new Lang.Class({ + { opacity: 0, + time: Overview.ANIMATION_TIME, + transition: 'easeOutQuad', +- onComplete() { ++ onComplete: () => { + this.actor.hide(); +- }, +- onCompleteScope: this }); ++ } }); + }, + + _onStyleChanged(actor) { +@@ -219,8 +218,7 @@ var AppMenuButton = new Lang.Class({ + { opacity: 0, + time: SPINNER_ANIMATION_TIME, + transition: "easeOutQuad", +- onCompleteScope: this, +- onComplete() { ++ onComplete: () => { + this._spinner.stop(); + this._spinner.actor.opacity = 255; + this._spinner.actor.hide(); +diff --git a/js/ui/popupMenu.js b/js/ui/popupMenu.js +index f449d6e..3d92a1a 100644 +--- a/js/ui/popupMenu.js ++++ b/js/ui/popupMenu.js +@@ -1004,12 +1004,10 @@ var PopupSubMenu = new Lang.Class({ + { _arrowRotation: targetAngle, + height: naturalHeight, + time: 0.25, +- onUpdateScope: this, +- onUpdate() { ++ onUpdate: () => { + this._arrow.rotation_angle_z = this.actor._arrowRotation; + }, +- onCompleteScope: this, +- onComplete() { ++ onComplete: () => { + this.actor.set_height(-1); + } + }); +@@ -1037,12 +1035,10 @@ var PopupSubMenu = new Lang.Class({ + { _arrowRotation: 0, + height: 0, + time: 0.25, +- onUpdateScope: this, +- onUpdate() { ++ onUpdate: () => { + this._arrow.rotation_angle_z = this.actor._arrowRotation; + }, +- onCompleteScope: this, +- onComplete() { ++ onComplete: () => { + this.actor.hide(); + this.actor.set_height(-1); + }, +diff --git a/js/ui/screenShield.js b/js/ui/screenShield.js +index dee290b..72d1317 100644 +--- a/js/ui/screenShield.js ++++ b/js/ui/screenShield.js +@@ -265,11 +265,10 @@ var NotificationsBox = new Lang.Class({ + { height: natHeight, + transition: 'easeOutQuad', + time: 0.25, +- onComplete() { ++ onComplete: () => { + this._scrollView.vscrollbar_policy = Gtk.PolicyType.AUTOMATIC; + widget.set_height(-1); +- }, +- onCompleteScope: this ++ } + }); + + this._updateVisibility(); +@@ -795,11 +794,10 @@ var ScreenShield = new Lang.Class({ + { y: 0, + time: time, + transition: 'easeInQuad', +- onComplete() { ++ onComplete: () => { + this._lockScreenGroup.fixed_position_set = false; + this._lockScreenState = MessageTray.State.SHOWN; +- }, +- onCompleteScope: this, ++ } + }); + + this._maybeCancelDialog(); +@@ -1020,11 +1018,10 @@ var ScreenShield = new Lang.Class({ + { y: 0, + time: MANUAL_FADE_TIME, + transition: 'easeOutQuad', +- onComplete() { ++ onComplete: () => { + this._lockScreenShown({ fadeToBlack: fadeToBlack, + animateFade: true }); +- }, +- onCompleteScope: this ++ } + }); + } else { + this._lockScreenGroup.fixed_position_set = false; +diff --git a/js/ui/workspaceSwitcherPopup.js b/js/ui/workspaceSwitcherPopup.js +index 351a907..49caabc 100644 +--- a/js/ui/workspaceSwitcherPopup.js ++++ b/js/ui/workspaceSwitcherPopup.js +@@ -159,8 +159,7 @@ var WorkspaceSwitcherPopup = new Lang.Class({ + Tweener.addTween(this._container, { opacity: 0.0, + time: ANIMATION_TIME, + transition: 'easeOutQuad', +- onComplete() { this.destroy(); }, +- onCompleteScope: this ++ onComplete: () => this.destroy() + }); + return GLib.SOURCE_REMOVE; + }, +diff --git a/js/ui/workspaceThumbnail.js b/js/ui/workspaceThumbnail.js +index 76a7416..dc1a749 100644 +--- a/js/ui/workspaceThumbnail.js ++++ b/js/ui/workspaceThumbnail.js +@@ -1347,11 +1347,10 @@ var ThumbnailsBox = new Lang.Class({ + { indicatorY: thumbnail.actor.allocation.y1, + time: WorkspacesView.WORKSPACE_SWITCH_TIME, + transition: 'easeOutQuad', +- onComplete() { ++ onComplete: () => { + this._animatingIndicator = false; + this._queueUpdateStates(); +- }, +- onCompleteScope: this ++ } + }); + } + }); +-- +2.23.0 + diff --git a/CVE-2020-17489-pre2.patch b/CVE-2020-17489-pre2.patch new file mode 100644 index 0000000..96688a6 --- /dev/null +++ b/CVE-2020-17489-pre2.patch @@ -0,0 +1,81 @@ +From 7e4e3c19d010b8204f89703706c605a97153a60a Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 30 Mar 2021 14:56:46 +0800 +Subject: [PATCH] loginDialog: Use GObject bindings over onUpdate handler + +Instead of iterating over all actors each frame and sync'ing their +opacities, we can set up bindings once before the animation. + +https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/654 +--- + js/gdm/loginDialog.js | 30 ++++++++++++++---------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +diff --git a/js/gdm/loginDialog.js b/js/gdm/loginDialog.js +index faecff8..29954f7 100644 +--- a/js/gdm/loginDialog.js ++++ b/js/gdm/loginDialog.js +@@ -918,25 +918,29 @@ var LoginDialog = new Lang.Class({ + this._showPrompt(); + }, + ++ _bindOpacity() { ++ this._bindings = Main.layoutManager.uiGroup.get_children() ++ .filter(c => c != Main.layoutManager.screenShieldGroup) ++ .map(c => this.bind_property('opacity', c, 'opacity', 0)); ++ }, ++ ++ _unbindOpacity() { ++ this._bindings.forEach(b => b.unbind()); ++ }, ++ + _loginScreenSessionActivated() { + if (this.actor.opacity == 255 && this._authPrompt.verificationStatus == AuthPrompt.AuthPromptStatus.NOT_VERIFYING) + return; + ++ this._bindOpacity(); + Tweener.addTween(this.actor, + { opacity: 255, + time: _FADE_ANIMATION_TIME, + transition: 'easeOutQuad', +- onUpdate: () => { +- let children = Main.layoutManager.uiGroup.get_children(); +- +- for (let i = 0; i < children.length; i++) { +- if (children[i] != Main.layoutManager.screenShieldGroup) +- children[i].opacity = this.actor.opacity; +- } +- }, + onComplete: () => { + if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING) + this._authPrompt.reset(); ++ this._unbindOpacity(); + } }); + }, + +@@ -950,20 +954,14 @@ var LoginDialog = new Lang.Class({ + }, + + _startSession(serviceName) { ++ this._bindOpacity(); + Tweener.addTween(this.actor, + { opacity: 0, + time: _FADE_ANIMATION_TIME, + transition: 'easeOutQuad', +- onUpdate: () => { +- let children = Main.layoutManager.uiGroup.get_children(); +- +- for (let i = 0; i < children.length; i++) { +- if (children[i] != Main.layoutManager.screenShieldGroup) +- children[i].opacity = this.actor.opacity; +- } +- }, + onComplete: () => { + this._greeter.call_start_session_when_ready_sync(serviceName, true, null); ++ this._unbindOpacity(); + } }); + }, + +-- +2.23.0 + diff --git a/CVE-2020-17489.patch b/CVE-2020-17489.patch new file mode 100644 index 0000000..4239128 --- /dev/null +++ b/CVE-2020-17489.patch @@ -0,0 +1,44 @@ +From b0d6742bcdba59991fbf0b31c6c670db7939cfa7 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 30 Mar 2021 15:35:52 +0800 +Subject: [PATCH] cleanup: Port GObject classes to JS6 classes + +GJS added API for defining GObject classes with ES6 class syntax +last cycle, use it to port the remaining Lang.Class classes to +the new syntax. + +https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361 + +--- + js/gdm/loginDialog.js | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/js/gdm/loginDialog.js b/js/gdm/loginDialog.js +index 29954f7..2f89140 100644 +--- a/js/gdm/loginDialog.js ++++ b/js/gdm/loginDialog.js +@@ -931,17 +931,16 @@ var LoginDialog = new Lang.Class({ + _loginScreenSessionActivated() { + if (this.actor.opacity == 255 && this._authPrompt.verificationStatus == AuthPrompt.AuthPromptStatus.NOT_VERIFYING) + return; ++ if (this._authPrompt.verificationStatus !== AuthPrompt.AuthPromptStatus.NOT_VERIFYING) ++ this._authPrompt.reset(); + + this._bindOpacity(); + Tweener.addTween(this.actor, + { opacity: 255, + time: _FADE_ANIMATION_TIME, + transition: 'easeOutQuad', +- onComplete: () => { +- if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING) +- this._authPrompt.reset(); +- this._unbindOpacity(); +- } }); ++ onComplete: () => this._unbindOpacity(), ++ }); + }, + + _gotGreeterSessionProxy(proxy) { +-- +2.23.0 + diff --git a/gnome-shell.spec b/gnome-shell.spec index 1119a12..59adb52 100644 --- a/gnome-shell.spec +++ b/gnome-shell.spec @@ -1,6 +1,6 @@ Name: gnome-shell Version: 3.30.1 -Release: 6 +Release: 7 Summary: Core user interface functions for the GNOME 3 desktop Group: User Interface/Desktops License: GPLv2+ @@ -12,6 +12,9 @@ Patch2: 0001-endSessionDialog-Immediately-add-buttons-to-the-dial.patch Patch3: 0002-endSessionDialog-Support-rebooting-into-the-bootload.patch Patch4: 0001-keyboardManager-Avoid-idempotent-calls-to-meta_backe.patch Patch5: 0001-Include-the-libcroco-sources-directly-under-src-st-c.patch +Patch6: CVE-2020-17489-pre1.patch +Patch7: CVE-2020-17489-pre2.patch +Patch8: CVE-2020-17489.patch BuildRequires: meson git ibus-devel chrpath dbus-glib-devel desktop-file-utils BuildRequires: evolution-data-server-devel gcr-devel gjs-devel glib2-devel @@ -121,6 +124,9 @@ glib-compile-schemas --allow-any-name %{_datadir}/glib-2.0/schemas &> /dev/null %{_mandir}/man1/%{name}.1.gz %changelog +* Tue Mar 30 2021 wangyue - 3.30.1-7 +- fix CVE-2020-17489 + * Thu Dec 03 2020 wangxiao -3.30.1-6 - move the libcroco sources directly under src/st remove the libcroco dependency from the meson.build files -- Gitee