From a5895a4cdcde7bba4737243dcdcc91ff5a166f97 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Tue, 6 Jan 2015 17:45:57 -0600 Subject: [PATCH] refresh for latest attepmt to fix upstream BR66670 --- 0002-nuke-some-extra-quoting.patch | 26 ++++++++++ ...mand-injection-vulnerability-BR66670.patch | 51 ------------------- ...mand-injection-vulnerability-BR66670.patch | 43 ++++++++++++++++ xdg-utils.spec | 8 ++- 4 files changed, 75 insertions(+), 53 deletions(-) create mode 100644 0002-nuke-some-extra-quoting.patch delete mode 100644 0002-xdg-open-command-injection-vulnerability-BR66670.patch create mode 100644 0003-xdg-open-command-injection-vulnerability-BR66670.patch diff --git a/0002-nuke-some-extra-quoting.patch b/0002-nuke-some-extra-quoting.patch new file mode 100644 index 0000000..8970e02 --- /dev/null +++ b/0002-nuke-some-extra-quoting.patch @@ -0,0 +1,26 @@ +From c93e804e27d8013a455ccaf523758bd86bad0498 Mon Sep 17 00:00:00 2001 +From: Rex Dieter +Date: Tue, 6 Jan 2015 17:37:24 -0600 +Subject: [PATCH 2/3] nuke some extra quoting + +easy(?) fix while working on BR66670 +--- + scripts/xdg-open.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in +index 0145be3..c12dcdd 100644 +--- a/scripts/xdg-open.in ++++ b/scripts/xdg-open.in +@@ -186,7 +186,7 @@ search_desktop_file() + # FIXME: Actually LC_MESSAGES should be used as described in + # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html + localised_name="'$(get_key "${file}" "Name")'" +- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \ ++ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \ + -e 's*%i*'"$icon"'*g' \ + -e 's*%c*'"$localised_name"'*g')" + +-- +2.1.0 + diff --git a/0002-xdg-open-command-injection-vulnerability-BR66670.patch b/0002-xdg-open-command-injection-vulnerability-BR66670.patch deleted file mode 100644 index ed43cd4..0000000 --- a/0002-xdg-open-command-injection-vulnerability-BR66670.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001 -From: Rex Dieter -Date: Mon, 5 Jan 2015 13:09:05 -0600 -Subject: [PATCH 2/2] xdg-open: command injection vulnerability (BR66670) - ---- - ChangeLog | 3 +++ - scripts/xdg-open.in | 6 +++--- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 735fee7..e309517 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,8 @@ - === xdg-utils 1.1.x === - -+2015-01-05 Rex Dieter -+ * xdg-open: command injection vulnerability (BR66670) -+ - 2015-01-04 Rex Dieter - * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) - -diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in -index 0145be3..9f01747 100644 ---- a/scripts/xdg-open.in -+++ b/scripts/xdg-open.in -@@ -186,17 +186,17 @@ search_desktop_file() - # FIXME: Actually LC_MESSAGES should be used as described in - # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html - localised_name="'$(get_key "${file}" "Name")'" -- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \ -+ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \ - -e 's*%i*'"$icon"'*g' \ - -e 's*%c*'"$localised_name"'*g')" - - if [ -x "$command_exec" ] ; then - if echo "$arguments" | grep -iq '%[fFuU]' ; then - echo START "$command_exec" "$arguments_exec" -- eval "$command_exec" "$arguments_exec" -+ eval "$command_exec" '$arguments_exec' - else - echo START "$command_exec" "$arguments_exec" "$arg" -- eval "$command_exec" "$arguments_exec" "$arg" -+ eval "$command_exec" '$arguments_exec' '$arg' - fi - - if [ $? -eq 0 ]; then --- -1.9.3 - diff --git a/0003-xdg-open-command-injection-vulnerability-BR66670.patch b/0003-xdg-open-command-injection-vulnerability-BR66670.patch new file mode 100644 index 0000000..a7f18b5 --- /dev/null +++ b/0003-xdg-open-command-injection-vulnerability-BR66670.patch @@ -0,0 +1,43 @@ +From 4bd30419c5f404f2a108c5a6bbda0e40551ffd24 Mon Sep 17 00:00:00 2001 +From: Rex Dieter +Date: Tue, 6 Jan 2015 17:39:05 -0600 +Subject: [PATCH 3/3] xdg-open: command injection vulnerability (BR66670) + +--- + ChangeLog | 3 +++ + scripts/xdg-open.in | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 735fee7..65df80c 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,8 @@ + === xdg-utils 1.1.x === + ++2015-01-06 Rex Dieter ++ * xdg-open: command injection vulnerability (BR66670) ++ + 2015-01-04 Rex Dieter + * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) + +diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in +index c12dcdd..b6045f8 100644 +--- a/scripts/xdg-open.in ++++ b/scripts/xdg-open.in +@@ -193,10 +193,10 @@ search_desktop_file() + if [ -x "$command_exec" ] ; then + if echo "$arguments" | grep -iq '%[fFuU]' ; then + echo START "$command_exec" "$arguments_exec" +- eval "$command_exec" "$arguments_exec" ++ eval "'$command_exec'" "'$arguments_exec'" + else + echo START "$command_exec" "$arguments_exec" "$arg" +- eval "$command_exec" "$arguments_exec" "$arg" ++ eval "'$command_exec'" "'$arguments_exec'" "'$arg'" + fi + + if [ $? -eq 0 ]; then +-- +2.1.0 + diff --git a/xdg-utils.spec b/xdg-utils.spec index e58d5c2..3d3f627 100644 --- a/xdg-utils.spec +++ b/xdg-utils.spec @@ -4,7 +4,7 @@ Summary: Basic desktop integration functions Name: xdg-utils Version: 1.1.0 -Release: 0.33.%{pre}%{?dist} +Release: 0.34.%{pre}%{?dist} URL: http://portland.freedesktop.org/ %if 0%{?pre:1} @@ -17,7 +17,8 @@ License: MIT ## upstream patches Patch1: 0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch -Patch2: 0002-xdg-open-command-injection-vulnerability-BR66670.patch +Patch2: 0002-nuke-some-extra-quoting.patch +Patch3: 0003-xdg-open-command-injection-vulnerability-BR66670.patch # make sure BuildArch comes *after* patches, to ensure %%autosetup works right # http://bugzilla.redhat.com/1084309 @@ -92,6 +93,9 @@ make install DESTDIR=%{buildroot} %changelog +* Tue Jan 06 2015 Rex Dieter 1.1.0-0.34.rc3 +- refresh for latest attepmt to fix upstream BR66670 + * Mon Jan 05 2015 Rex Dieter 1.1.0-0.33.rc3 - pull in latest commits