From: "Stefan Ghinea" <stefan.ghinea@windriver.com>
To: openembedded-devel@lists.openembedded.org
Subject: [PATCH] thunar: fix CVE-2021-32563
Date: Tue, 25 May 2021 21:24:58 +0300 [thread overview]
Message-ID: <20210525182458.20957-1-stefan.ghinea@windriver.com> (raw)
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2.
When called with a regular file as a command-line argument, it delegates
to a different program (based on the file type) without user confirmation.
This could be used to achieve code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-32563
Upstream patches:
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
---
.../thunar/thunar/CVE-2021-32563-1.patch | 97 ++++++++
.../thunar/thunar/CVE-2021-32563-2.patch | 208 ++++++++++++++++++
.../recipes-xfce/thunar/thunar_4.16.6.bb | 4 +
3 files changed, 309 insertions(+)
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
new file mode 100644
index 000000000..f942f990b
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
@@ -0,0 +1,97 @@
+From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Sat, 1 May 2021 00:40:44 +0200
+Subject: [PATCH 1/2] Dont execute files, passed via command line due to
+ security risks
+
+Instead open the containing folder and select the file.
+
+Fixes #121
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 25 +++++++++++++++++++++++--
+ thunar/thunar-window.c | 4 +---
+ thunar/thunar-window.h | 2 ++
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index df862fd..1243940 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- /* try to open the file or directory */
+- thunar_file_launch (target_file, screen, startup_id, &error);
++ if (thunar_file_is_directory (file))
++ {
++ thunar_application_open_window (application, file, screen, startup_id, FALSE);
++ }
++ else
++ {
++ /* Note that for security reasons we do not execute files passed via command line */
++ /* Lets rather open the containing directory and select the file */
++ ThunarFile *parent = thunar_file_get_parent (file, NULL);
++
++ if (G_LIKELY (parent != NULL))
++ {
++ GList* files = NULL;
++ GtkWidget *window;
++
++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE);
++ g_object_unref (parent);
++
++ files = g_list_append (files, thunar_file_get_file (file));
++ thunar_window_select_files (THUNAR_WINDOW (window), files);
++ g_list_free (files);
++ }
++ }
+
+ /* remove the file from the list */
+ application->files_to_launch = g_list_delete_link (application->files_to_launch,
+diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c
+index b330a87..b234fd3 100644
+--- a/thunar/thunar-window.c
++++ b/thunar/thunar-window.c
+@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow
+ GtkWidget *menu);
+ static void thunar_window_update_help_menu (ThunarWindow *window,
+ GtkWidget *menu);
+-static void thunar_window_select_files (ThunarWindow *window,
+- GList *path_list);
+ static void thunar_window_binding_create (ThunarWindow *window,
+ gpointer src_object,
+ const gchar *src_prop,
+@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget,
+ *
+ * Visually selects the files, given by the list
+ **/
+-static void
++void
+ thunar_window_select_files (ThunarWindow *window,
+ GList *files_to_selected)
+ {
+diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h
+index 9cbcc85..3c1aad2 100644
+--- a/thunar/thunar-window.h
++++ b/thunar/thunar-window.h
+@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu
+ GtkMenu *menu);
+ const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window,
+ ThunarWindowAction action);
++ void thunar_window_select_files (ThunarWindow *window,
++ GList *path_list);
+ G_END_DECLS;
+
+ #endif /* !__THUNAR_WINDOW_H__ */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
new file mode 100644
index 000000000..a22cdc6d8
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
@@ -0,0 +1,208 @@
+From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Fri, 7 May 2021 15:21:27 +0200
+Subject: [PATCH 2/2] Regression: Activating Desktop Icon does not Use Default
+ Application (Issue #575)
+
+- Introduced by 9165a61f (Dont execute files, passed via command line
+due to security risks)
+- Now via DBus files are executed, and via CLI, files are just selected
+
+Fixes #575
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 68 +++++++++++++++++++++---------------
+ thunar/thunar-application.h | 9 ++++-
+ thunar/thunar-dbus-service.c | 2 +-
+ 3 files changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index 1243940..53d0b23 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -182,37 +182,38 @@ struct _ThunarApplicationClass
+
+ struct _ThunarApplication
+ {
+- GtkApplication __parent__;
++ GtkApplication __parent__;
+
+- ThunarSessionClient *session_client;
++ ThunarSessionClient *session_client;
+
+- ThunarPreferences *preferences;
+- GtkWidget *progress_dialog;
++ ThunarPreferences *preferences;
++ GtkWidget *progress_dialog;
+
+- ThunarThumbnailCache *thumbnail_cache;
+- ThunarThumbnailer *thumbnailer;
++ ThunarThumbnailCache *thumbnail_cache;
++ ThunarThumbnailer *thumbnailer;
+
+- ThunarDBusService *dbus_service;
++ ThunarDBusService *dbus_service;
+
+- gboolean daemon;
++ gboolean daemon;
+
+- guint accel_map_save_id;
+- GtkAccelMap *accel_map;
++ guint accel_map_save_id;
++ GtkAccelMap *accel_map;
+
+- guint show_dialogs_timer_id;
++ guint show_dialogs_timer_id;
+
+ #ifdef HAVE_GUDEV
+- GUdevClient *udev_client;
++ GUdevClient *udev_client;
+
+- GSList *volman_udis;
+- guint volman_idle_id;
+- guint volman_watch_id;
++ GSList *volman_udis;
++ guint volman_idle_id;
++ guint volman_watch_id;
+ #endif
+
+- GList *files_to_launch;
++ GList *files_to_launch;
++ ThunarApplicationProcessAction process_file_action;
+
+- guint dbus_owner_id_xfce;
+- guint dbus_owner_id_fdo;
++ guint dbus_owner_id_xfce;
++ guint dbus_owner_id_fdo;
+ };
+
+
+@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application)
+ * in the primary instance anyways */
+
+ application->files_to_launch = NULL;
++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES;
+ application->progress_dialog = NULL;
+ application->preferences = NULL;
+
+@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (filenames != NULL)
+ {
+- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (!daemon)
+ {
+- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- if (thunar_file_is_directory (file))
++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES)
++ {
++ /* try to launch the file / open the directory */
++ thunar_file_launch (target_file, screen, startup_id, &error);
++ }
++ else if (thunar_file_is_directory (file))
+ {
+ thunar_application_open_window (application, file, screen, startup_id, FALSE);
+ }
+@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application)
+ * @startup_id : startup id to finish startup notification and properly focus the
+ * window when focus stealing is enabled or %NULL.
+ * @error : return location for errors or %NULL.
++ * @action : action to invoke on the files
+ *
+ * Tells @application to process the given @filenames and launch them appropriately.
+ *
+ * Return value: %TRUE on success, %FALSE if @error is set.
+ **/
+ gboolean
+-thunar_application_process_filenames (ThunarApplication *application,
+- const gchar *working_directory,
+- gchar **filenames,
+- GdkScreen *screen,
+- const gchar *startup_id,
+- GError **error)
++thunar_application_process_filenames (ThunarApplication *application,
++ const gchar *working_directory,
++ gchar **filenames,
++ GdkScreen *screen,
++ const gchar *startup_id,
++ GError **error,
++ ThunarApplicationProcessAction action)
+ {
+ ThunarFile *file;
+ GError *derror = NULL;
+@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application,
+
+ /* start processing files if we have any to launch */
+ if (application->files_to_launch != NULL)
+- thunar_application_process_files (application);
++ {
++ application->process_file_action = action;
++ thunar_application_process_files (application);
++ }
+
+ /* free the file list */
+ g_list_free (file_list);
+diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h
+index 547cb70..8c180e8 100644
+--- a/thunar/thunar-application.h
++++ b/thunar/thunar-application.h
+@@ -31,6 +31,12 @@ G_BEGIN_DECLS;
+ typedef struct _ThunarApplicationClass ThunarApplicationClass;
+ typedef struct _ThunarApplication ThunarApplication;
+
++typedef enum
++{
++ THUNAR_APPLICATION_LAUNCH_FILES,
++ THUNAR_APPLICATION_SELECT_FILES
++} ThunarApplicationProcessAction;
++
+ #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ())
+ #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication))
+ #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass))
+@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli
+ gchar **filenames,
+ GdkScreen *screen,
+ const gchar *startup_id,
+- GError **error);
++ GError **error,
++ ThunarApplicationProcessAction action);
+
+ void thunar_application_rename_file (ThunarApplication *application,
+ ThunarFile *file,
+diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c
+index 2d27642..4205a2b 100644
+--- a/thunar/thunar-dbus-service.c
++++ b/thunar/thunar-dbus-service.c
+@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object,
+ {
+ /* let the application process the filenames */
+ application = thunar_application_get ();
+- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error);
++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES);
+ g_object_unref (G_OBJECT (application));
+
+ /* release the screen */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
index 128043d19..7bef08ed9 100644
--- a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
+++ b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
@@ -8,6 +8,10 @@ inherit xfce gobject-introspection features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
+SRC_URI += "file://CVE-2021-32563-1.patch \
+ file://CVE-2021-32563-2.patch \
+ "
+
SRC_URI[sha256sum] = "cb531d3fe67196a43ca04979ef271ece7858bbc80c15b0ee4323c1252a1a02b7"
PACKAGECONFIG ??= ""
--
2.17.1
reply other threads:[~2021-05-25 18:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210525182458.20957-1-stefan.ghinea@windriver.com \
--to=stefan.ghinea@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.