CVE-2024-6655

NameCVE-2024-6655
DescriptionA flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-1201-1, ELA-1202-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gtk+2.0 (PTS)jessie, jessie (lts)2.24.25-3+deb8u3fixed
stretch (lts), stretch2.24.31-2+deb9u1fixed
buster, buster (lts)2.24.32-3+deb10u1fixed
bullseye2.24.33-2+deb11u1fixed
bookworm2.24.33-2+deb12u1fixed
sid, trixie2.24.33-6fixed
gtk+3.0 (PTS)jessie, jessie (lts)3.14.5-1+deb8u2fixed
stretch (lts), stretch3.22.11-1+deb9u1fixed
buster, buster (lts)3.24.5-1+deb10u1fixed
bullseye3.24.24-4+deb11u4fixed
bookworm3.24.38-2~deb12u3fixed
sid, trixie3.24.43-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gtk+2.0sourcejessie2.24.25-3+deb8u3ELA-1202-1
gtk+2.0sourcestretch2.24.31-2+deb9u1ELA-1202-1
gtk+2.0sourcebuster2.24.32-3+deb10u1ELA-1202-1
gtk+2.0sourcebullseye2.24.33-2+deb11u1
gtk+2.0sourcebookworm2.24.33-2+deb12u1
gtk+2.0source(unstable)2.24.33-5
gtk+3.0sourcejessie3.14.5-1+deb8u2ELA-1201-1
gtk+3.0sourcestretch3.22.11-1+deb9u1ELA-1201-1
gtk+3.0sourcebuster3.24.5-1+deb10u1ELA-1201-1
gtk+3.0sourcebullseye3.24.24-4+deb11u4
gtk+3.0sourcebookworm3.24.38-2~deb12u2
gtk+3.0source(unstable)3.24.43-1

Notes

https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
https://www.openwall.com/lists/oss-security/2024/09/09/1
Search for package or bug name: Reporting problems