Bug#777722: xdg-utils: diff for NMU version 1.1.0~rc1+git20111210-7.4

[Michael Gilbert]

On Fri, Feb 20, 2015 at 10:49 AM, Salvatore Bonaccorso wrote:
 Control: tags 22 + pending

 Dear maintainer,

 I've prepared an NMU for xdg-utils (versioned as 1.1.0~rc1+git20111210-7.4) 
 and
 uploaded it to DELAYED/2. Please feel free to tell me if I
 should delay it longer.

Hi Salvatore,

xdg-utils is nmu-maintained for a long time now, so I would consider
the package effectively orphaned [0], and upload with out delay.

Best wishes,
Mike

[0] http://bugs.debian.org/774590


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#777722: xdg-utils: diff for NMU version 1.1.0~rc1+git20111210-7.4

[Salvatore Bonaccorso]

Control: tags 22 + pending

Dear maintainer,

I've prepared an NMU for xdg-utils (versioned as 1.1.0~rc1+git20111210-7.4) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2015-01-10 16:22:21.0 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2015-02-20 16:28:35.0 +0100
@@ -1,3 +1,13 @@
+xdg-utils (1.1.0~rc1+git20111210-7.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add CVE-2015-1877.patch patch.
+CVE-2015-1877: Command injection vulnerability due to local variables
+collision.
+Thanks to Jiri Horner laeq...@gmail.com (Closes: #22)
+
+ -- Salvatore Bonaccorso car...@debian.org  Fri, 20 Feb 2015 16:24:18 +0100
+
 xdg-utils (1.1.0~rc1+git20111210-7.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch	1970-01-01 01:00:00.0 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch	2015-02-20 16:28:35.0 +0100
@@ -0,0 +1,33 @@
+Description: CVE-2015-1877: Command injection vulnerability due to local variables collision
+Origin: vendor
+Bug: https://bugs.freedesktop.org/89129
+Bug-Debian: https://bugs.debian.org/22
+Forwarded: yes, https://bugs.freedesktop.org/show_bug.cgi?id=89129
+Author: Jiri Horner laeq...@gmail.com
+Reviewed-by: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2015-02-20
+
+--- a/scripts/xdg-open.in
 b/scripts/xdg-open.in
+@@ -128,16 +128,16 @@ open_generic_xdg_mime()
+ 
+ DEBUG 3 $xdg_user_dir:$xdg_system_dirs
+ for x in `echo $xdg_user_dir:$xdg_system_dirs | sed 's/:/ /g'`; do
+-local file
++local desktop_file
+ # look for both vendor-app.desktop, vendor/app.desktop
+ if [ -r $x/applications/$default ]; then
+-  file=$x/applications/$default
++  desktop_file=$x/applications/$default
+ elif [ -r $x/applications/`echo $default | sed -e 's|-|/|'` ]; then
+-  file=$x/applications/`echo $default | sed -e 's|-|/|'`
++  desktop_file=$x/applications/`echo $default | sed -e 's|-|/|'`
+ fi
+ 
+-if [ -r $file ] ; then
+-set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' $file)
++if [ -r $desktop_file ] ; then
++set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' $desktop_file)
+ command_exec=$(which $1 2 /dev/null)
+ if [ -x $command_exec ] ; then
+ shift
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2015-01-10 16:20:40.0 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2015-02-20 16:28:35.0 +0100
@@ -9,3 +9,4 @@
 fix-bashism-use-of-echo.patch
 command-injection.patch
 xdg-open-safe.diff
+CVE-2015-1877.patch