In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.
References: https://nvd.nist.gov/vuln/detail/CVE-2022-45062 https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390 Upstream Status: Backport from https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 Signed-off-by: Archana Polampalli <[email protected]> --- .../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++ .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch new file mode 100644 index 000000000..1e999a7c6 --- /dev/null +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch @@ -0,0 +1,58 @@ +commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 +Author: Ga??l Bonithon <[email protected]> +Date: Sat Nov 12 22:27:36 2022 +0100 + + mime-settings: Properly quote command parameters + + Fixes: #390 + MR: !85 + +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c +index 7149951f..b2d8e50d 100644 +--- a/dialogs/mime-settings/xfce-mime-helper.c ++++ b/dialogs/mime-settings/xfce-mime-helper.c +@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, + /* reset the error */ + g_clear_error (&err); + ++ /* prepare the command */ ++ if (exo_str_is_empty (real_parameter)) ++ command = g_strdup (commands[n]); ++ else ++ { ++ /* split command into "quoted"/unquoted parts */ ++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0); ++ ++ /* walk the part array */ ++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++) ++ { ++ /* quoted part: unquote it, replace %s and re-quote it properly */ ++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\"")) ++ { ++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2); ++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter); ++ gchar *quoted = g_shell_quote (filled); ++ g_free (filled); ++ g_free (unquoted); ++ g_free (*cmd_part); ++ *cmd_part = quoted; ++ } ++ /* unquoted part: just replace %s */ ++ else ++ { ++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter); ++ g_free (*cmd_part); ++ *cmd_part = filled; ++ } ++ } ++ ++ /* join parts to reconstitute the command, filled and quoted */ ++ command = g_strjoinv (NULL, cmd_parts); ++ g_strfreev (cmd_parts); ++ } ++ + /* parse the command */ +- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]); + succeed = g_shell_parse_argv (command, NULL, &argv, &err); + g_free (command); + diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb index aa4265f7b..6757c48f4 100644 --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" +SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \ + file://CVE-2022-45062.patch" SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e" EXTRA_OECONF += "--enable-maintainer-mode --disable-debug" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#99976): https://lists.openembedded.org/g/openembedded-devel/message/99976 Mute This Topic: https://lists.openembedded.org/mt/95517736/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
