#2 Remove GIO GSettings backend, GLib should not load obsolete extensions
Merged 2 years ago by catanzaro. Opened 2 years ago by catanzaro.
rpms/ catanzaro/GConf2 mcatanzaro/gsettings  into  rawhide

file modified
+7 -13
@@ -9,7 +9,7 @@ 

  

  Name:    GConf2

  Version: 3.2.6

- Release: 35%{?dist}

+ Release: 36%{?dist}

  Summary: A process-transparent configuration system

  

  License: LGPLv2+ and GPLv2+
@@ -35,7 +35,6 @@ 

  BuildRequires: intltool

  BuildRequires: make

  BuildRequires: pkgconfig(dbus-glib-1) >= 0.8

- BuildRequires: pkgconfig(gio-2.0) >= %{glib2_version}

  BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.7

  BuildRequires: pkgconfig(libxml-2.0) >= %{libxml2_version}

  %if 0%{?defaults_service}
@@ -72,16 +71,13 @@ 

  %prep

  %autosetup -p1 -n GConf-%{version}

  

+ %build

  autoreconf --force --install

  

- 2to3 --write --nobackup gsettings/gsettings-schema-convert

- pathfix.py -pni "%{__python3} %{py3_shbang_opts}" . gsettings/gsettings-schema-convert

- 

- %build

  %configure --disable-static \

        %{?defaults_service:--enable-defaults-service} \

        %{!?defaults_service:--disable-defaults-service} \

-       --disable-orbit --without-openldap

+       --disable-orbit --without-openldap --disable-gsettings-backend

  

  # drop unneeded direct library deps with --as-needed

  # libtool doesn't make this easy, so we do it the hard way
@@ -129,8 +125,6 @@ 

  %dir %{_sysconfdir}/gconf/schemas

  %{_bindir}/gconf-merge-tree

  %{_bindir}/gconftool-2

- %{_bindir}/gsettings-data-convert

- %{_sysconfdir}/xdg/autostart/gsettings-data-convert.desktop

  %{_libexecdir}/gconfd-2

  %{_libdir}/*.so.*

  %{_libdir}/GConf/2/*.so
@@ -138,7 +132,6 @@ 

  %{_datadir}/sgml/gconf

  %{_datadir}/GConf

  %{_mandir}/man1/*

- %exclude %{_mandir}/man1/gsettings-schema-convert.1*

  %dir %{_libdir}/GConf

  %dir %{_libdir}/GConf/2

  %{_rpmconfigdir}/macros.d/macros.gconf2
@@ -150,7 +143,6 @@ 

  %endif

  %{_datadir}/dbus-1/services/org.gnome.GConf.service

  %{_localstatedir}/lib/rpm-state/gconf/

- %{_libdir}/gio/modules/libgsettingsgconfbackend.so

  %{_libdir}/girepository-1.0

  

  %files devel
@@ -160,10 +152,12 @@ 

  %{_datadir}/gtk-doc/html/gconf

  %{_libdir}/pkgconfig/*

  %{_datadir}/gir-1.0

- %{_bindir}/gsettings-schema-convert

- %{_mandir}/man1/gsettings-schema-convert.1*

  

  %changelog

+ * Tue Aug 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 3.2.6-36

+ - Remove GIO GSettings backend, GLib should not load obsolete extensions

+ - Move build stuff from %prep to %build

+ 

  * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.6-35

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

  

GConf2 has been obsolete for over a decade now, but still installs a GIO extension. Because anything hooking into GIO is automatically security-relevant, let's ensure decades-old stuff doesn't do so.

CC @kalev and @amigadave, does this seem OK? It was noticed as a potential weakness during a security exercise.

This makes sense to me -- I can't imagine that people would want to use GConf2 as a backend for storing GSettings data these days.

Maybe just edit the commit message slightly to say "GConf2 GSettings backend" instead of "GIO GSettings backend"? Otherwise +1 from me!

The commit message is correct actually: GSettings in a GIO extension point. The goal is to stop GIO from loading obsolete stuff.

That is, this commit removes GConf2's GIO GSettings implementation.

Pull-Request has been merged by catanzaro

2 years ago
Metadata