rpms/xdg-utils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

pull in latest commits, notably more fdo screensaver fixes

Browse Source
This commit is contained in:
Rex Dieter 2015-01-19 05:29:05 -06:00
parent a5895a4cdc
commit 76fc848410
7 changed files with 169 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch
View File

@ -1,7 +1,7 @@
From 0f06aadc8696f3e9234687bbc93b50a3f724b822 Mon Sep 17 00:00:00 2001 From 0f06aadc8696f3e9234687bbc93b50a3f724b822 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu> From: Rex Dieter <rdieter@math.unl.edu>
Date: Sun, 4 Jan 2015 16:21:09 -0600 Date: Sun, 4 Jan 2015 16:21:09 -0600
Subject: [PATCH 1/2] xdg-screensaver should control X11's screensaver in xfce Subject: [PATCH 1/5] xdg-screensaver should control X11's screensaver in xfce
as fallback (BR80089) as fallback (BR80089)
--- ---
@ -38,5 +38,5 @@ index 047d555..d9cb4d2 100644
[ -n "$DISPLAY" ] && screensaver_xserver "$1" [ -n "$DISPLAY" ] && screensaver_xserver "$1"
;; ;;
-- --
1.9.3 2.1.0

26
0002-nuke-some-extra-quoting.patch
View File

@ -1,26 +0,0 @@
From c93e804e27d8013a455ccaf523758bd86bad0498 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Tue, 6 Jan 2015 17:37:24 -0600
Subject: [PATCH 2/3] nuke some extra quoting
easy(?) fix while working on BR66670
---
scripts/xdg-open.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index 0145be3..c12dcdd 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -186,7 +186,7 @@ search_desktop_file()
# FIXME: Actually LC_MESSAGES should be used as described in
# http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html
localised_name="'$(get_key "${file}" "Name")'"
- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \
+ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \
-e 's*%i*'"$icon"'*g' \
-e 's*%c*'"$localised_name"'*g')"
--
2.1.0

51
0002-xdg-open-command-injection-vulnerability-BR66670.patch Normal file
View File

@ -0,0 +1,51 @@
From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Mon, 5 Jan 2015 13:09:05 -0600
Subject: [PATCH 2/5] xdg-open: command injection vulnerability (BR66670)
---
ChangeLog | 3 +++
scripts/xdg-open.in | 6 +++---
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 735fee7..e309517 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
=== xdg-utils 1.1.x ===
+2015-01-05 Rex Dieter <rdieter@fedoraproject.org>
+ * xdg-open: command injection vulnerability (BR66670)
+
2015-01-04 Rex Dieter <rdieter@fedoraproject.org>
* xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089)
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index 0145be3..9f01747 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -186,17 +186,17 @@ search_desktop_file()
# FIXME: Actually LC_MESSAGES should be used as described in
# http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html
localised_name="'$(get_key "${file}" "Name")'"
- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \
+ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \
-e 's*%i*'"$icon"'*g' \
-e 's*%c*'"$localised_name"'*g')"
if [ -x "$command_exec" ] ; then
if echo "$arguments" | grep -iq '%[fFuU]' ; then
echo START "$command_exec" "$arguments_exec"
- eval "$command_exec" "$arguments_exec"
+ eval "$command_exec" '$arguments_exec'
else
echo START "$command_exec" "$arguments_exec" "$arg"
- eval "$command_exec" "$arguments_exec" "$arg"
+ eval "$command_exec" '$arguments_exec' '$arg'
fi
if [ $? -eq 0 ]; then
--
2.1.0

47
0003-xdg-mime-dereference-symlinks-when-using-mimetype-or.patch Normal file
View File

@ -0,0 +1,47 @@
From ffa6e473fc95d1980b230195fecdafcd7193dca7 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Thu, 15 Jan 2015 09:16:38 -0600
Subject: [PATCH 3/5] xdg-mime: dereference symlinks when using mimetype or
file (BR39923)
---
ChangeLog | 3 +++
scripts/xdg-mime.in | 8 ++++----
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index e309517..3c7b095 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
=== xdg-utils 1.1.x ===
+2015-01-15 Reuben Thomas <rrt@sc3d.org>
+ * xdg-mime: dereference symlinks when using mimetype or file (BR39923)
+
2015-01-05 Rex Dieter <rdieter@fedoraproject.org>
* xdg-open: command injection vulnerability (BR66670)
diff --git a/scripts/xdg-mime.in b/scripts/xdg-mime.in
index 0290d77..80781c8 100644
--- a/scripts/xdg-mime.in
+++ b/scripts/xdg-mime.in
@@ -98,11 +98,11 @@ info_gnome()
info_generic()
{
if mimetype --version >/dev/null 2>&1; then
- DEBUG 1 "Running mimetype -b \"$1\""
- mimetype -b "$1"
+ DEBUG 1 "Running mimetype --brief --dereference \"$1\""
+ mimetype --brief --dereference "$1"
else
- DEBUG 1 "Running file --mime-type \"$1\""
- /usr/bin/file -b --mime-type "$1" 2> /dev/null
+ DEBUG 1 "Running file --brief --dereference --mime-type \"$1\""
+ /usr/bin/file --brief --dereference --mime-type "$1" 2> /dev/null
fi
if [ $? -eq 0 ]; then
--
2.1.0

48
0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch Normal file
View File

@ -0,0 +1,48 @@
From 8e9fa9bcc85fd31d4548870aad27c0593f64c433 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Thu, 15 Jan 2015 10:09:43 -0600
Subject: [PATCH 4/5] xdg-screensaver: Change screensaver_freedesktop's
interpretation of GetActive (BR29859)
---
ChangeLog | 1 +
scripts/xdg-screensaver.in | 8 ++++----
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3c7b095..fa90e70 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
2015-01-15 Reuben Thomas <rrt@sc3d.org>
* xdg-mime: dereference symlinks when using mimetype or file (BR39923)
+ * xdg-screensaver: Change screensaver_freedesktop's interpretation of GetActive (BR29859)
2015-01-05 Rex Dieter <rdieter@fedoraproject.org>
* xdg-open: command injection vulnerability (BR66670)
diff --git a/scripts/xdg-screensaver.in b/scripts/xdg-screensaver.in
index d9cb4d2..579b80e 100644
--- a/scripts/xdg-screensaver.in
+++ b/scripts/xdg-screensaver.in
@@ -300,13 +300,13 @@ screensaver_freedesktop()
org.freedesktop.ScreenSaver.GetActive \
| grep boolean | cut -d ' ' -f 5`
result=$?
- if [ x"$status" = "xtrue" ]; then
+ if [ x"$status" = "xtrue" -o x"$status" = "xfalse" ]; then
echo "enabled"
- elif [ x"$status" = "xfalse" ]; then
- echo "disabled"
- else
+ elif [ x"$result" != "x0" ]; then
echo "ERROR: dbus org.freedesktop.ScreenSaver.GetActive returned '$status'" >&2
return 1
+ else
+ echo "disabled"
fi
;;
--
2.1.0

25
0003-xdg-open-command-injection-vulnerability-BR66670.patch → 0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch
View File

@ -1,7 +1,8 @@
From 4bd30419c5f404f2a108c5a6bbda0e40551ffd24 Mon Sep 17 00:00:00 2001 From ab071beaabb62ceda3028dd5efa85e8057c29006 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu> From: Rex Dieter <rdieter@math.unl.edu>
Date: Tue, 6 Jan 2015 17:39:05 -0600 Date: Mon, 19 Jan 2015 05:18:57 -0600
Subject: [PATCH 3/3] xdg-open: command injection vulnerability (BR66670) Subject: [PATCH 5/5] xdg-open: better fix for command injection vulnerability
(BR66670)
--- ---
ChangeLog | 3 +++ ChangeLog | 3 +++
@ -9,31 +10,31 @@ Subject: [PATCH 3/3] xdg-open: command injection vulnerability (BR66670)
2 files changed, 5 insertions(+), 2 deletions(-) 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog diff --git a/ChangeLog b/ChangeLog
index 735fee7..65df80c 100644 index fa90e70..627df21 100644
--- a/ChangeLog --- a/ChangeLog
+++ b/ChangeLog +++ b/ChangeLog
@@ -1,5 +1,8 @@ @@ -1,5 +1,8 @@
=== xdg-utils 1.1.x === === xdg-utils 1.1.x ===
+2015-01-06 Rex Dieter <rdieter@fedoraproject.org> +2015-01-19 Rex Dieter <rdieter@fedoraproject.org>
+ * xdg-open: command injection vulnerability (BR66670) + * xdg-open: better fix for command injection vulnerability (BR66670)
+ +
2015-01-04 Rex Dieter <rdieter@fedoraproject.org> 2015-01-15 Reuben Thomas <rrt@sc3d.org>
* xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) * xdg-mime: dereference symlinks when using mimetype or file (BR39923)
* xdg-screensaver: Change screensaver_freedesktop's interpretation of GetActive (BR29859)
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index c12dcdd..b6045f8 100644 index 9f01747..b6045f8 100644
--- a/scripts/xdg-open.in --- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in +++ b/scripts/xdg-open.in
@@ -193,10 +193,10 @@ search_desktop_file() @@ -193,10 +193,10 @@ search_desktop_file()
if [ -x "$command_exec" ] ; then if [ -x "$command_exec" ] ; then
if echo "$arguments" | grep -iq '%[fFuU]' ; then if echo "$arguments" | grep -iq '%[fFuU]' ; then
echo START "$command_exec" "$arguments_exec" echo START "$command_exec" "$arguments_exec"
- eval "$command_exec" "$arguments_exec" - eval "$command_exec" '$arguments_exec'
+ eval "'$command_exec'" "'$arguments_exec'" + eval "'$command_exec'" "'$arguments_exec'"
else else
echo START "$command_exec" "$arguments_exec" "$arg" echo START "$command_exec" "$arguments_exec" "$arg"
- eval "$command_exec" "$arguments_exec" "$arg" - eval "$command_exec" '$arguments_exec' '$arg'
+ eval "'$command_exec'" "'$arguments_exec'" "'$arg'" + eval "'$command_exec'" "'$arguments_exec'" "'$arg'"
fi fi

11
xdg-utils.spec
View File

@ -4,7 +4,7 @@
Summary: Basic desktop integration functions Summary: Basic desktop integration functions
Name: xdg-utils Name: xdg-utils
Version: 1.1.0 Version: 1.1.0
Release: 0.34.%{pre}%{?dist} Release: 0.35.%{pre}%{?dist}
URL: http://portland.freedesktop.org/ URL: http://portland.freedesktop.org/
%if 0%{?pre:1} %if 0%{?pre:1}
@ -17,8 +17,10 @@ License: MIT
## upstream patches ## upstream patches
Patch1: 0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch Patch1: 0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch
Patch2: 0002-nuke-some-extra-quoting.patch Patch2: 0002-xdg-open-command-injection-vulnerability-BR66670.patch
Patch3: 0003-xdg-open-command-injection-vulnerability-BR66670.patch Patch3: 0003-xdg-mime-dereference-symlinks-when-using-mimetype-or.patch
Patch4: 0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch
Patch5: 0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch
# make sure BuildArch comes *after* patches, to ensure %%autosetup works right # make sure BuildArch comes *after* patches, to ensure %%autosetup works right
# http://bugzilla.redhat.com/1084309 # http://bugzilla.redhat.com/1084309
@ -93,6 +95,9 @@ make install DESTDIR=%{buildroot}
%changelog %changelog
* Mon Jan 19 2015 Rex Dieter <rdieter@fedoraproject.org> 1.1.0-0.35.rc3
- pull in latest commits, notably more fdo screensaver fixes
* Tue Jan 06 2015 Rex Dieter <rdieter@fedoraproject.org> 1.1.0-0.34.rc3 * Tue Jan 06 2015 Rex Dieter <rdieter@fedoraproject.org> 1.1.0-0.34.rc3
- refresh for latest attepmt to fix upstream BR66670 - refresh for latest attepmt to fix upstream BR66670