packages/xfce4-settings
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-45062

Browse Source
This commit is contained in:
dwl301 2022-11-10 14:57:29 +08:00
parent 244566021e
commit 6ab57ffd4c
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
fix_CVE-2022-45062.patch Normal file
View File

@ -0,0 +1,71 @@
diff -up xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c.BAK xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c
--- xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c.BAK 2022-11-10 14:46:34.496823705 +0800
+++ xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c 2022-11-10 14:51:50.390633576 +0800
@@ -375,7 +375,7 @@ xfce_mime_helper_execute (XfceMimeHelper
gint status;
gint result;
gint pid;
- const gchar *real_parameter = parameter;
+ gchar *real_parameter = NULL;
// FIXME: startup-notification
@@ -387,23 +387,44 @@ xfce_mime_helper_execute (XfceMimeHelper
if (G_UNLIKELY (screen == NULL))
screen = gdk_screen_get_default ();
- /* strip the mailto part if needed */
- if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:"))
- real_parameter = parameter + 7;
+ if (parameter != NULL)
+ {
+ if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER)
+ {
+ /* escape characters which do not belong into an URI/URL */
+ real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE);
+ }
+ else if (g_str_has_prefix (real_parameter, "mailto:"))
+ {
+ /* strip the mailto part if needed */
+ real_parameter = g_strdup (parameter + 7);
+ }
+ else
+ {
+ real_parameter = g_strdup (parameter);
+ }
+ }
/* determine the command set to use */
- if (exo_str_is_flag (real_parameter)) {
+ if (exo_str_is_flag (real_parameter))
+ {
commands = helper->commands_with_flag;
- } else if (exo_str_is_empty (real_parameter)) {
+ }
+ else if (exo_str_is_empty (real_parameter))
+ {
commands = helper->commands;
- } else {
+ }
+ else
+ {
commands = helper->commands_with_parameter;
}
+
/* verify that we have atleast one command */
if (G_UNLIKELY (*commands == NULL))
{
g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified"));
+ g_free (real_parameter);
return FALSE;
}
@@ -493,6 +514,7 @@ xfce_mime_helper_execute (XfceMimeHelper
if (G_UNLIKELY (!succeed))
g_propagate_error (error, err);
+ g_free (real_parameter);
return succeed;
}

7
xfce4-settings.spec
View File

@ -2,7 +2,7 @@
Name: xfce4-settings Name: xfce4-settings
Version: 4.16.0 Version: 4.16.0
Release: 1 Release: 2
Summary: Settings Manager for Xfce Summary: Settings Manager for Xfce
License: GPLv2+ License: GPLv2+
@ -10,6 +10,7 @@ URL: http://www.xfce.org/
Source0: http://archive.xfce.org/src/xfce/%{name}/%{xfceversion}/%{name}-%{version}.tar.bz2 Source0: http://archive.xfce.org/src/xfce/%{name}/%{xfceversion}/%{name}-%{version}.tar.bz2
# theme and font settings # theme and font settings
Patch10: xfce4-settings-4.14.patch Patch10: xfce4-settings-4.14.patch
Patch11: fix_CVE-2022-45062.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -35,6 +36,7 @@ This package includes the settings manager applications for the Xfce desktop.
%prep %prep
%setup -q %setup -q
%patch10 %patch10
%patch11 -p1
%build %build
@ -77,6 +79,9 @@ done
%{_datadir}/xfce4/helpers/*.desktop %{_datadir}/xfce4/helpers/*.desktop
%changelog %changelog
* Thu Nov 10 2022 Wenlong Ding <wenlong.ding@turbolinux.com.cn> - 4.16.0-2
- Fix CVE-2022-45062
* Fri Jun 18 2021 zhanglin <lin.zhang@turbolinux.com.cn> - 4.16.0-1 * Fri Jun 18 2021 zhanglin <lin.zhang@turbolinux.com.cn> - 4.16.0-1
- Update to 4.16.0 - Update to 4.16.0