rpms/xdg-utils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

refresh for latest attepmt to fix upstream BR66670

Browse Source
This commit is contained in:
Rex Dieter 2015-01-06 17:45:57 -06:00
parent 67498050c1
commit a5895a4cdc
4 changed files with 75 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
0002-nuke-some-extra-quoting.patch Normal file
View File

@ -0,0 +1,26 @@
From c93e804e27d8013a455ccaf523758bd86bad0498 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Tue, 6 Jan 2015 17:37:24 -0600
Subject: [PATCH 2/3] nuke some extra quoting
easy(?) fix while working on BR66670
---
scripts/xdg-open.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index 0145be3..c12dcdd 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -186,7 +186,7 @@ search_desktop_file()
# FIXME: Actually LC_MESSAGES should be used as described in
# http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html
localised_name="'$(get_key "${file}" "Name")'"
- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \
+ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \
-e 's*%i*'"$icon"'*g' \
-e 's*%c*'"$localised_name"'*g')"
--
2.1.0

51
0002-xdg-open-command-injection-vulnerability-BR66670.patch
View File

@ -1,51 +0,0 @@
From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Mon, 5 Jan 2015 13:09:05 -0600
Subject: [PATCH 2/2] xdg-open: command injection vulnerability (BR66670)
---
ChangeLog | 3 +++
scripts/xdg-open.in | 6 +++---
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 735fee7..e309517 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
=== xdg-utils 1.1.x ===
+2015-01-05 Rex Dieter <rdieter@fedoraproject.org>
+ * xdg-open: command injection vulnerability (BR66670)
+
2015-01-04 Rex Dieter <rdieter@fedoraproject.org>
* xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089)
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index 0145be3..9f01747 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -186,17 +186,17 @@ search_desktop_file()
# FIXME: Actually LC_MESSAGES should be used as described in
# http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html
localised_name="'$(get_key "${file}" "Name")'"
- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \
+ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \
-e 's*%i*'"$icon"'*g' \
-e 's*%c*'"$localised_name"'*g')"
if [ -x "$command_exec" ] ; then
if echo "$arguments" | grep -iq '%[fFuU]' ; then
echo START "$command_exec" "$arguments_exec"
- eval "$command_exec" "$arguments_exec"
+ eval "$command_exec" '$arguments_exec'
else
echo START "$command_exec" "$arguments_exec" "$arg"
- eval "$command_exec" "$arguments_exec" "$arg"
+ eval "$command_exec" '$arguments_exec' '$arg'
fi
if [ $? -eq 0 ]; then
--
1.9.3

43
0003-xdg-open-command-injection-vulnerability-BR66670.patch Normal file
View File

@ -0,0 +1,43 @@
From 4bd30419c5f404f2a108c5a6bbda0e40551ffd24 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Tue, 6 Jan 2015 17:39:05 -0600
Subject: [PATCH 3/3] xdg-open: command injection vulnerability (BR66670)
---
ChangeLog | 3 +++
scripts/xdg-open.in | 4 ++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 735fee7..65df80c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
=== xdg-utils 1.1.x ===
+2015-01-06 Rex Dieter <rdieter@fedoraproject.org>
+ * xdg-open: command injection vulnerability (BR66670)
+
2015-01-04 Rex Dieter <rdieter@fedoraproject.org>
* xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089)
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index c12dcdd..b6045f8 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -193,10 +193,10 @@ search_desktop_file()
if [ -x "$command_exec" ] ; then
if echo "$arguments" | grep -iq '%[fFuU]' ; then
echo START "$command_exec" "$arguments_exec"
- eval "$command_exec" "$arguments_exec"
+ eval "'$command_exec'" "'$arguments_exec'"
else
echo START "$command_exec" "$arguments_exec" "$arg"
- eval "$command_exec" "$arguments_exec" "$arg"
+ eval "'$command_exec'" "'$arguments_exec'" "'$arg'"
fi
if [ $? -eq 0 ]; then
--
2.1.0

8
xdg-utils.spec
View File

@ -4,7 +4,7 @@
Summary: Basic desktop integration functions
Name: xdg-utils
Version: 1.1.0
Release: 0.33.%{pre}%{?dist}
Release: 0.34.%{pre}%{?dist}
URL: http://portland.freedesktop.org/
%if 0%{?pre:1}
@ -17,7 +17,8 @@ License: MIT
## upstream patches
Patch1: 0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch
Patch2: 0002-xdg-open-command-injection-vulnerability-BR66670.patch
Patch2: 0002-nuke-some-extra-quoting.patch
Patch3: 0003-xdg-open-command-injection-vulnerability-BR66670.patch
# make sure BuildArch comes *after* patches, to ensure %%autosetup works right
# http://bugzilla.redhat.com/1084309
@ -92,6 +93,9 @@ make install DESTDIR=%{buildroot}
%changelog
* Tue Jan 06 2015 Rex Dieter <rdieter@fedoraproject.org> 1.1.0-0.34.rc3
- refresh for latest attepmt to fix upstream BR66670
* Mon Jan 05 2015 Rex Dieter <rdieter@fedoraproject.org> 1.1.0-0.33.rc3
- pull in latest commits