!14 fix CVE-2022-45062

From: @dwl301 Reviewed-by: @zhang__3125 Signed-off-by: @zhang__3125
fix CVE-2022-45062
2022-11-10 07:33:02 +00:00 · 2022-11-10 14:57:29 +08:00 · 2021-06-17 14:23:45 +00:00 · 2021-06-16 11:22:00 +08:00 · 2020-12-02 16:36:19 +08:00 · 2020-12-01 11:11:53 +08:00
5 changed files with 189 additions and 0 deletions
--- a/fix_CVE-2022-45062.patch
+++ b/fix_CVE-2022-45062.patch
@ -0,0 +1,71 @@
+diff -up xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c.BAK xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c
+--- xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c.BAK	2022-11-10 14:46:34.496823705 +0800
+++ xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c	2022-11-10 14:51:50.390633576 +0800
+@@ -375,7 +375,7 @@ xfce_mime_helper_execute (XfceMimeHelper
+   gint          status;
+   gint          result;
+   gint          pid;
+-  const gchar  *real_parameter = parameter;
+  gchar        *real_parameter = NULL;
+ 
+   // FIXME: startup-notification
+ 
+@@ -387,23 +387,44 @@ xfce_mime_helper_execute (XfceMimeHelper
+   if (G_UNLIKELY (screen == NULL))
+     screen = gdk_screen_get_default ();
+ 
+-  /* strip the mailto part if needed */
+-  if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:"))
+-    real_parameter = parameter + 7;
+  if (parameter != NULL)
+  {
+    if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER)
+      {
+        /* escape characters which do not belong into an URI/URL */
+        real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE);
+      }
+    else if (g_str_has_prefix (real_parameter, "mailto:"))
+      {
+        /* strip the mailto part if needed */
+        real_parameter = g_strdup (parameter + 7);
+      }
+    else
+      {
+        real_parameter = g_strdup (parameter);
+      }
+  }
+ 
+   /* determine the command set to use */
+-  if (exo_str_is_flag (real_parameter)) {
+  if (exo_str_is_flag (real_parameter))
+  {
+     commands = helper->commands_with_flag;
+-  } else if (exo_str_is_empty (real_parameter)) {
+  }
+  else if (exo_str_is_empty (real_parameter))
+  {
+     commands = helper->commands;
+-  } else {
+  }
+  else
+  {
+     commands = helper->commands_with_parameter;
+   }
+ 
+
+   /* verify that we have atleast one command */
+   if (G_UNLIKELY (*commands == NULL))
+     {
+       g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified"));
+      g_free (real_parameter);
+       return FALSE;
+     }
+ 
+@@ -493,6 +514,7 @@ xfce_mime_helper_execute (XfceMimeHelper
+   if (G_UNLIKELY (!succeed))
+     g_propagate_error (error, err);
+ 
+  g_free (real_parameter);
+   return succeed;
+ }
+ 
--- a/xfce4-settings-4.14.patch
+++ b/xfce4-settings-4.14.patch
@ -0,0 +1,25 @@
+--- xfsettingsd/xsettings.xml.orig	2015-02-23 19:33:11.000000000 -0600
+++ xfsettingsd/xsettings.xml	2015-02-28 18:30:51.863719465 -0600
+@@ -6,8 +6,8 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+ <channel name="xsettings" version="1.0">
+   <property name="Net" type="empty">
+-    <property name="ThemeName" type="empty"/>
+-    <property name="IconThemeName" type="empty"/>
+    <property name="ThemeName" type="string" value="Adwaita"/>
+    <property name="IconThemeName" type="string" value="Adwaita"/>
+     <property name="DoubleClickTime" type="int" value="400"/>
+     <property name="DoubleClickDistance" type="int" value="5"/>
+     <property name="DndDragThreshold" type="int" value="8"/>
+@@ -19,9 +19,9 @@
+   </property>
+   <property name="Xft" type="empty">
+     <property name="DPI" type="empty"/>
+-    <property name="Antialias" type="int" value="-1"/>
+    <property name="Antialias" type="int" value="1"/>
+     <property name="Hinting" type="int" value="-1"/>
+-    <property name="HintStyle" type="string" value="hintnone"/>
+    <property name="HintStyle" type="string" value="hintfull"/>
+     <property name="RGBA" type="string" value="none"/>
+     <!-- <property name="Lcdfilter" type="string" value="none"/> -->
+   </property>
--- a/xfce4-settings-4.16.0.tar.bz2
+++ b/xfce4-settings-4.16.0.tar.bz2
--- a/xfce4-settings.spec
+++ b/xfce4-settings.spec
@ -0,0 +1,89 @@
+%global xfceversion 4.16
+
+Name:           xfce4-settings
+Version:        4.16.0
+Release:        2
+Summary:        Settings Manager for Xfce
+
+License:        GPLv2+
+URL:            http://www.xfce.org/
+Source0:        http://archive.xfce.org/src/xfce/%{name}/%{xfceversion}/%{name}-%{version}.tar.bz2
+# theme and font settings
+Patch10:        xfce4-settings-4.14.patch
+Patch11:	fix_CVE-2022-45062.patch
+
+BuildRequires:  make
+BuildRequires:  gcc-c++
+BuildRequires:  gettext
+BuildRequires:  intltool
+BuildRequires:  exo-devel >= 0.5.0
+BuildRequires:  libxfce4ui-devel >= %{xfceversion}
+BuildRequires:  libxfce4util-devel >= %{xfceversion}
+BuildRequires:  xfconf-devel >= %{xfceversion}
+BuildRequires:  desktop-file-utils >= 0.7
+BuildRequires:  libnotify-devel
+BuildRequires:  colord-devel
+BuildRequires:  libcanberra-devel
+BuildRequires:  libxklavier-devel
+BuildRequires:  xorg-x11-drv-libinput-devel
+BuildRequires:  libXrandr-devel
+BuildRequires:  garcon-devel >= 0.1.10
+Requires:       xfconf
+
+%description
+This package includes the settings manager applications for the Xfce desktop. 
+
+%prep
+%setup -q
+%patch10
+%patch11 -p1
+
+
+%build
+%configure --enable-sound-settings --enable-pluggable-dialogs --enable-maintainer-mode --enable-xorg-libinput
+%make_build
+
+%install
+%make_install
+
+for file in %{buildroot}%{_datadir}/applications/*.desktop ; do
+    desktop-file-install \
+        --add-category="X-XFCE" \
+        --remove-category="XFCE" \
+        --delete-original \
+        --dir=%{buildroot}%{_datadir}/applications \
+        $file
+done
+
+
+%find_lang %{name}
+
+%files -f %{name}.lang
+%license COPYING
+%doc AUTHORS ChangeLog NEWS TODO
+%config(noreplace) %{_sysconfdir}/xdg/xfce4/xfconf/xfce-perchannel-xml/xsettings.xml
+%config(noreplace) %{_sysconfdir}/xdg/autostart/xfsettingsd.desktop
+%config(noreplace) %{_sysconfdir}/xdg/menus/xfce-settings-manager.menu
+%config(noreplace) %{_sysconfdir}/xdg/xfce4/helpers.rc
+%{_bindir}/xfce4-mime-helper
+%{_bindir}/xfce4-*-settings
+%{_bindir}/xfce4-settings-editor
+%{_bindir}/xfce4-settings-manager
+%{_bindir}/xfsettingsd
+%{_bindir}/xfce4-find-cursor
+%{_datadir}/applications/xfce*.desktop
+%{_libdir}/xfce4
+%{_libdir}/xfce4/xfce4-compose-mail
+%{_libdir}/xfce4/settings
+%{_datadir}/icons/hicolor/*/*/*xfce*
+%{_datadir}/xfce4/helpers/*.desktop
+
+%changelog
+* Thu Nov 10 2022 Wenlong Ding <wenlong.ding@turbolinux.com.cn> - 4.16.0-2
+- Fix CVE-2022-45062
+
+* Fri Jun 18 2021 zhanglin <lin.zhang@turbolinux.com.cn> - 4.16.0-1
+- Update to 4.16.0
+
+* Sun Jul 12 2020 Dillon Chen <dillon.chen@turbolinux.com.cn> - 4.14.3-1
+- Init package
--- a/xfce4-settings.yaml
+++ b/xfce4-settings.yaml
@ -0,0 +1,4 @@
+version_control: git
+src_repo: https://gitlab.xfce.org/xfce/xfce4-settings.git
+tag_prefix: "xfce4-settings-"
+seperator: "."
Author	SHA1	Message	Date
openeuler-ci-bot	32974bf9d4	!14 fix CVE-2022-45062 From: @dwl301 Reviewed-by: @zhang__3125 Signed-off-by: @zhang__3125	2022-11-10 07:33:02 +00:00
dwl301	6ab57ffd4c	fix CVE-2022-45062	2022-11-10 14:57:29 +08:00
openeuler-ci-bot	244566021e	!5 upgrade to 4.16.0 for xfce 4.16 From: @zhang__3125 Reviewed-by: @dwl301 Signed-off-by: @dwl301	2021-06-17 14:23:45 +00:00
linz	7436aa3a00	upgrade to 4.16.0 for xfce 4.16	2021-06-16 11:22:00 +08:00
openeuler-ci-bot	57fa764a6c	!4 20201201 add yaml file From: @zhang__3125 Reviewed-by: @dwl301 Signed-off-by: @dwl301	2020-12-02 16:36:19 +08:00
张琳	96d99d2a26	update xfce4-settings.yaml.	2020-12-01 11:11:53 +08:00
zhang__3125	00acf6003d	20201127 add yaml file	2020-11-27 13:50:30 +08:00
openeuler-ci-bot	69874ca6a4	!2 Init package Merge pull request !2 from 陈棋德/master	2020-07-31 19:55:43 +08:00
dillon chen	2638bc6ca7	change patch	2020-07-12 14:37:10 +08:00
dillon chen	14ad2178c1	Init package	2020-07-12 13:48:45 +08:00