Hello community, here is the log from the commit of package spice-vdagent for openSUSE:Factory checked in at 2017-12-14 10:54:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice-vdagent (Old) and /work/SRC/openSUSE:Factory/.spice-vdagent.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice-vdagent" Thu Dec 14 10:54:23 2017 rev:12 rq:554572 version:0.17.0 Changes: -------- --- /work/SRC/openSUSE:Factory/spice-vdagent/spice-vdagent.changes 2017-08-28 16:17:24.292788554 +0200 +++ /work/SRC/openSUSE:Factory/.spice-vdagent.new/spice-vdagent.changes 2017-12-14 10:54:27.920355998 +0100 @@ -1,0 +2,7 @@ +Tue Dec 5 16:12:24 UTC 2017 - cbosdon...@suse.com + +- Fix potential shell command injection. + 8ba17481-quote-save-dir-before-passing-to-shell.patch + CVE-2017-15108 (bsc#1070724) + +------------------------------------------------------------------- New: ---- 8ba17481-quote-save-dir-before-passing-to-shell.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice-vdagent.spec ++++++ --- /var/tmp/diff_new_pack.2mftRs/_old 2017-12-14 10:54:29.012303286 +0100 +++ /var/tmp/diff_new_pack.2mftRs/_new 2017-12-14 10:54:29.016303093 +0100 @@ -27,6 +27,7 @@ Source0: http://spice-space.org/download/releases/%{name}-%{version}.tar.bz2 Patch0: spice-vdagent-var_run.patch Patch1: vdagentd-do-endian-swapping.patch +Patch2: 8ba17481-quote-save-dir-before-passing-to-shell.patch BuildRequires: alsa-devel >= 1.0.22 BuildRequires: desktop-file-utils BuildRequires: glib2-devel @@ -59,6 +60,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %configure \ ++++++ 8ba17481-quote-save-dir-before-passing-to-shell.patch ++++++ >From 8ba174816d245757e743e636df357910e1d5eb61 Mon Sep 17 00:00:00 2001 From: Jonathon Jongsma <jjong...@redhat.com> Date: Wed, 25 Oct 2017 10:33:11 -0500 Subject: [PATCH] Quote the save directory before passing to shell Thanks to a report from Seth Arnold <seth.arn...@canonial.com>: - vdagent_file_xfers_data() does not escape xfers->save_dir before giving it to the shell - vdagent_file_xfers_data() does not check snprintf() return code; a too-long xfers->save_dir could cause the & or ' or any number of other characters to go missing. To fix these issues, we use g_spawn_async(). This avoids the need to quote the filename and also avoids the snprintf issue. In the case that the spawn fails, we also print a warning to the syslog now. Signed-off-by: Jonathon Jongsma <jjong...@redhat.com> Acked-by: Frediano Ziglio <fzig...@redhat.com> --- src/vdagent/file-xfers.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) Index: spice-vdagent-0.17.0/src/vdagent-file-xfers.c =================================================================== --- spice-vdagent-0.17.0.orig/src/vdagent-file-xfers.c +++ spice-vdagent-0.17.0/src/vdagent-file-xfers.c @@ -293,9 +293,16 @@ void vdagent_file_xfers_data(struct vdag if (xfers->open_save_dir && task->file_xfer_nr == task->file_xfer_total && g_hash_table_size(xfers->xfers) == 1) { - char buf[PATH_MAX]; - snprintf(buf, PATH_MAX, "xdg-open '%s'&", xfers->save_dir); - status = system(buf); + GError *error = NULL; + gchar *argv[] = { "xdg-open", xfers->save_dir, NULL }; + if (!g_spawn_async(NULL, argv, NULL, + G_SPAWN_SEARCH_PATH, + NULL, NULL, NULL, &error)) { + syslog(LOG_WARNING, + "file-xfer: failed to open save directory: %s", + error->message); + g_error_free(error); + } } status = VD_AGENT_FILE_XFER_STATUS_SUCCESS; } else {