diff -Nru gtk+2.0-2.24.30/debian/changelog gtk+2.0-2.24.30/debian/changelog --- gtk+2.0-2.24.30/debian/changelog 2016-11-11 12:50:15.000000000 +0000 +++ gtk+2.0-2.24.30/debian/changelog 2017-07-20 21:29:53.000000000 +0000 @@ -1,3 +1,11 @@ +gtk+2.0 (2.24.30-1ubuntu1.16.04.2) xenial; urgency=medium + + * Add debian/patches/lp1641912-add-limit-to-list-size.patch, which fixes a + DOS allowing any application to cause all GTK applications to use an + arbitrary amount of memory (LP: #1641912). + + -- Simon Quigley Thu, 20 Jul 2017 16:29:53 -0500 + gtk+2.0 (2.24.30-1ubuntu1.16.04.1) xenial; urgency=medium * debian/patches/lp1576424-explicitly-disconnect-keymap-signals.patch diff -Nru gtk+2.0-2.24.30/debian/patches/lp1641912-add-limit-to-list-size.patch gtk+2.0-2.24.30/debian/patches/lp1641912-add-limit-to-list-size.patch --- gtk+2.0-2.24.30/debian/patches/lp1641912-add-limit-to-list-size.patch 1970-01-01 00:00:00.000000000 +0000 +++ gtk+2.0-2.24.30/debian/patches/lp1641912-add-limit-to-list-size.patch 2017-07-20 21:29:53.000000000 +0000 @@ -0,0 +1,88 @@ +Description: recent-manager: Add a limit to the list's size + This fixes a DOS where any app can cause all running GTK apps to use + arbitrary amounts of memory. Originally reported against mate-panel, where + running a big slideshow in eye-of-mate caused increasing RAM usage in + mate-panel. + . + This patch also includes a follow-up commit that fixes a memory leak caused + by this commit. +Author: Lauri Kasanen +Origin: upstream +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=773587 +Bug-Ubuntu: https://pad.lv/1641912 +Applied-Upstream: a3b2d6a65be9f592de9570c227df00f910167e9e, 35871edb318083b2d7e4758cbdaad6109eed60ca +Last-Update: 2017-07-20 +--- a/gtk/gtkrecentmanager.c ++++ b/gtk/gtkrecentmanager.c +@@ -47,6 +47,9 @@ + /* return all items by default */ + #define DEFAULT_LIMIT -1 + ++/* limit the size of the list */ ++#define MAX_LIST_SIZE 1000 ++ + /* keep in sync with xdgmime */ + #define GTK_RECENT_DEFAULT_MIME "application/octet-stream" + +@@ -137,6 +140,8 @@ static void gtk_recent_manager_set_f + const gchar *filename); + static void gtk_recent_manager_clamp_to_age (GtkRecentManager *manager, + gint age); ++static void gtk_recent_manager_clamp_to_size (GtkRecentManager *manager, ++ const gint size); + + + static void build_recent_items_list (GtkRecentManager *manager); +@@ -414,6 +419,7 @@ gtk_recent_manager_real_changed (GtkRece + { + GtkSettings *settings = gtk_settings_get_default (); + gint age = 30; ++ gint max_size = MAX_LIST_SIZE; + + g_object_get (G_OBJECT (settings), "gtk-recent-files-max-age", &age, NULL); + if (age > 0) +@@ -423,6 +429,9 @@ gtk_recent_manager_real_changed (GtkRece + g_bookmark_file_free (priv->recent_items); + priv->recent_items = g_bookmark_file_new (); + } ++ ++ if (max_size > 0) ++ gtk_recent_manager_clamp_to_size (manager, max_size); + } + + write_error = NULL; +@@ -1587,6 +1596,34 @@ gtk_recent_manager_clamp_to_age (GtkRece + } + + g_strfreev (uris); ++} ++ ++static void ++gtk_recent_manager_clamp_to_size (GtkRecentManager *manager, ++ const gint size) ++{ ++ GtkRecentManagerPrivate *priv = manager->priv; ++ gchar **uris; ++ gsize n_uris, i; ++ ++ if (G_UNLIKELY (!priv->recent_items) || G_UNLIKELY (size < 0)) ++ return; ++ ++ uris = g_bookmark_file_get_uris (priv->recent_items, &n_uris); ++ ++ if (n_uris < size) ++ { ++ g_strfreev (uris); ++ return; ++ } ++ ++ for (i = 0; i < n_uris - size; i++) ++ { ++ const gchar *uri = uris[i]; ++ g_bookmark_file_remove_item (priv->recent_items, uri, NULL); ++ } ++ ++ g_strfreev (uris); + } + + /***************** diff -Nru gtk+2.0-2.24.30/debian/patches/series gtk+2.0-2.24.30/debian/patches/series --- gtk+2.0-2.24.30/debian/patches/series 2016-11-11 12:50:15.000000000 +0000 +++ gtk+2.0-2.24.30/debian/patches/series 2017-07-20 21:29:53.000000000 +0000 @@ -30,3 +30,4 @@ printing-initialize-auth_info.patch gdkcairo-Avoid-integer-overflow.patch lp1576424-explicitly-disconnect-keymap-signals.patch +lp1641912-add-limit-to-list-size.patch