From e9aaf8940cef92451ab0bdc71ebacc4ef5c7dca4 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Mon, 15 Jul 2024 15:59:14 +0800
Subject: [PATCH] fix CVE-2024-6655: Library injection from CWD

---
 CVE-2024-6655.patch | 34 ++++++++++++++++++++++++++++++++++
 gtk2.spec           | 11 ++++++++---
 2 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 CVE-2024-6655.patch

diff --git a/CVE-2024-6655.patch b/CVE-2024-6655.patch
new file mode 100644
index 0000000..131622a
--- /dev/null
+++ b/CVE-2024-6655.patch
@@ -0,0 +1,34 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
+
+Origin: gtk 3.24.43
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 50729b6..c0f0c30 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -229,13 +229,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
diff --git a/gtk2.spec b/gtk2.spec
index 02e4d6b..b5b059b 100644
--- a/gtk2.spec
+++ b/gtk2.spec
@@ -6,9 +6,9 @@
 #Basic Information
 Name:            gtk2
 Version:         2.24.33
-Release:         9
+Release:         10
 Summary:         GTK+ graphical user interface library
-License:         LGPLv2+
+License:         LGPL-2.0-or-later
 URL:             http://www.gtk.org
 Source:          http://download.gnome.org/sources/gtk+/2.24/gtk+-%{version}.tar.xz
 Source2:         im-cedilla.conf
@@ -21,6 +21,8 @@ Patch1:  icon-padding.patch
 Patch2:  tooltip-positioning.patch
 # https://bugzilla.gnome.org/show_bug.cgi?id=611313
 Patch3: window-dragging.patch
+# https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Patch4: CVE-2024-6655.patch
 
 #Dependency
 BuildRequires:   pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0
@@ -234,9 +236,12 @@ gtk-query-immodules-2.0-64 --update-cache
 %doc tmpdocs/tutorial
 %doc tmpdocs/faq
 %{_mandir}/man1/gtk-query-immodules-2.0*
-%{_mandir}/man1/gtk-builder-convert.1.gz
+%{_mandir}/man1/gtk-builder-convert.1*
 
 %changelog
+* Mon Jul 15 2024 Funda Wang <fundawang@yeah.net> - 2.24.33-10
+- fix CVE-2024-6655: Library injection from CWD
+
 * Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.33-9
 - revert last commit
 
-- 
Gitee