Fix #429513: CVE-2008-0386 xdg-open allows to execute arbitrary commands
This commit is contained in:
parent
dfe358d815
commit
301f5bf499
@ -1,5 +1 @@
|
|||||||
clog
|
|
||||||
xdg-utils-1.0rc1.tgz
|
|
||||||
xdg-utils-1.0.tgz
|
|
||||||
xdg-utils-1.0.1.tgz
|
|
||||||
xdg-utils-1.0.2.tgz
|
xdg-utils-1.0.2.tgz
|
||||||
|
46
xdg-utils-1.0.2-CVE-2008-0386.patch
Normal file
46
xdg-utils-1.0.2-CVE-2008-0386.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
Fix for #429513: CVE-2008-0386 xdg-open allows to execute arbitrary commands
|
||||||
|
|
||||||
|
From upstream:
|
||||||
|
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18
|
||||||
|
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33
|
||||||
|
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25
|
||||||
|
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37
|
||||||
|
|
||||||
|
diff -urp xdg-utils-1.0.2.orig/scripts/xdg-email xdg-utils-1.0.2/scripts/xdg-email
|
||||||
|
--- xdg-utils-1.0.2.orig/scripts/xdg-email 2007-06-24 21:58:04.000000000 +0200
|
||||||
|
+++ xdg-utils-1.0.2/scripts/xdg-email 2008-01-25 15:17:51.000000000 +0100
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/bin/sh
|
||||||
|
+#!/bin/bash
|
||||||
|
#---------------------------------------------
|
||||||
|
# xdg-email
|
||||||
|
#
|
||||||
|
@@ -435,7 +435,8 @@ open_generic()
|
||||||
|
for browser in $BROWSER; do
|
||||||
|
if [ x"$browser" != x"" ]; then
|
||||||
|
|
||||||
|
- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
|
||||||
|
+ IFS=' '
|
||||||
|
+ browser_with_arg=${browser//'%s'/"$1"}
|
||||||
|
|
||||||
|
if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
|
||||||
|
else $browser_with_arg;
|
||||||
|
diff -urp xdg-utils-1.0.2.orig/scripts/xdg-open xdg-utils-1.0.2/scripts/xdg-open
|
||||||
|
--- xdg-utils-1.0.2.orig/scripts/xdg-open 2008-01-25 15:16:43.000000000 +0100
|
||||||
|
+++ xdg-utils-1.0.2/scripts/xdg-open 2008-01-25 15:17:54.000000000 +0100
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/bin/sh
|
||||||
|
+#!/bin/bash
|
||||||
|
#---------------------------------------------
|
||||||
|
# xdg-open
|
||||||
|
#
|
||||||
|
@@ -371,7 +371,8 @@ open_generic()
|
||||||
|
for browser in $BROWSER; do
|
||||||
|
if [ x"$browser" != x"" ]; then
|
||||||
|
|
||||||
|
- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
|
||||||
|
+ IFS=' '
|
||||||
|
+ browser_with_arg=${browser//'%s'/"$1"}
|
||||||
|
|
||||||
|
if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
|
||||||
|
else $browser_with_arg;
|
@ -2,7 +2,7 @@
|
|||||||
Summary: Basic desktop integration functions
|
Summary: Basic desktop integration functions
|
||||||
Name: xdg-utils
|
Name: xdg-utils
|
||||||
Version: 1.0.2
|
Version: 1.0.2
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
|
|
||||||
URL: http://portland.freedesktop.org/
|
URL: http://portland.freedesktop.org/
|
||||||
Source0: http://portland.freedesktop.org/download/xdg-utils-%{version}%{?beta}.tgz
|
Source0: http://portland.freedesktop.org/download/xdg-utils-%{version}%{?beta}.tgz
|
||||||
@ -14,6 +14,7 @@ BuildArch: noarch
|
|||||||
Patch1: xdg-utils-1.0.2-mimeopen.patch
|
Patch1: xdg-utils-1.0.2-mimeopen.patch
|
||||||
Patch2: xdg-utils-1.0.1-typo.patch
|
Patch2: xdg-utils-1.0.1-typo.patch
|
||||||
Patch3: xdg-utils-1.0.1-htmlview.patch
|
Patch3: xdg-utils-1.0.1-htmlview.patch
|
||||||
|
Patch4: xdg-utils-1.0.2-CVE-2008-0386.patch
|
||||||
|
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires: desktop-file-utils
|
Requires: desktop-file-utils
|
||||||
@ -57,6 +58,7 @@ The following scripts are provided at this time:
|
|||||||
%patch1 -p1 -b .mimeopen
|
%patch1 -p1 -b .mimeopen
|
||||||
%patch2 -p1 -b .typo
|
%patch2 -p1 -b .typo
|
||||||
%patch3 -p1 -b .htmlview
|
%patch3 -p1 -b .htmlview
|
||||||
|
%patch4 -p1 -b .CVE-2008-0386
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -83,6 +85,9 @@ rm -rf %{buildroot}
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 25 2008 Lubomir Kundrak <lkundrak@redhat.com> 1.0.2-4
|
||||||
|
- Fix for CVE-2008-0386 (#429513)
|
||||||
|
|
||||||
* Fri Jan 18 2008 Rex Dieter <rdieter[AT]fedoraproject.org> 1.0.2-3
|
* Fri Jan 18 2008 Rex Dieter <rdieter[AT]fedoraproject.org> 1.0.2-3
|
||||||
- fix mimeopen support (#429280)
|
- fix mimeopen support (#429280)
|
||||||
- spec cosmetics: cleanup macro usage
|
- spec cosmetics: cleanup macro usage
|
||||||
|
Loading…
Reference in New Issue
Block a user