It was discovered that GLib's GSocketClient, since GLib 2.60, will
sporadically ignore its configured proxy settings and improperly
connect directly to the target server, bypassing the configured proxy
server: https://gitlab.gnome.org/GNOME/glib/issues/1989
CVE-2019-12450: file_copy_fallback in gio/gfile.c does not properly restrict
file permissions while a copy operation is in progress. Instead, default
permissions are used.
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
glib by doing the following:
- Modify the g_mkdir_with_parents() function so that it will try to
create the specified path directly and if g_mkdir() fails, it will
fall back to walking the path one by one.
- In case of walking the path one by one, ignore ENOENT for all path
elements except for the last one, because g_mkdir_with_parents()
will fail with programs using unveil(2) (with statlie removed).
Ignoring ENOENT is completely fine because we really only care about
the last element of the path and this modification will also have the
benefit of avoiding useless stat calls
- My initial tests show that by just firing up a simple file dialog
this modification saves an average of 110 system calls, now imagine
running GNOME or Chrome with that. Each and every program using glib's
g_mkdir_with_parents() before opening the needed files (most do this)
will benefit from this.
- Check if the XDG directories actually exist before adding them to the
list used by file dialogs.
This is also useful if you are not running a complete desktop environment
and you simply do not have these directories.
ok ajacoutot@
glib2 checks for __sync_bool_compare_and_swap, and requires
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 to be defined if the function is
available... except with special cases like Linux armv5. base gcc
implements __sync_bool_compare_and_swap on many of our archs but doesn't
provide __GCC_HAVE_* macros, so glib2 is confused. Extend the
existing workaround to unbreak.
ok ajacoutot@ (maintainer)
