* [PATCH] thunar: fix CVE-2021-32563
@ 2021-05-25 18:24 Stefan Ghinea
0 siblings, 0 replies; only message in thread
From: Stefan Ghinea @ 2021-05-25 18:24 UTC (permalink / raw)
To: openembedded-devel
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2.
When called with a regular file as a command-line argument, it delegates
to a different program (based on the file type) without user confirmation.
This could be used to achieve code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-32563
Upstream patches:
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
---
.../thunar/thunar/CVE-2021-32563-1.patch | 97 ++++++++
.../thunar/thunar/CVE-2021-32563-2.patch | 208 ++++++++++++++++++
.../recipes-xfce/thunar/thunar_4.16.6.bb | 4 +
3 files changed, 309 insertions(+)
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
new file mode 100644
index 000000000..f942f990b
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
@@ -0,0 +1,97 @@
+From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Sat, 1 May 2021 00:40:44 +0200
+Subject: [PATCH 1/2] Dont execute files, passed via command line due to
+ security risks
+
+Instead open the containing folder and select the file.
+
+Fixes #121
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 25 +++++++++++++++++++++++--
+ thunar/thunar-window.c | 4 +---
+ thunar/thunar-window.h | 2 ++
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index df862fd..1243940 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- /* try to open the file or directory */
+- thunar_file_launch (target_file, screen, startup_id, &error);
++ if (thunar_file_is_directory (file))
++ {
++ thunar_application_open_window (application, file, screen, startup_id, FALSE);
++ }
++ else
++ {
++ /* Note that for security reasons we do not execute files passed via command line */
++ /* Lets rather open the containing directory and select the file */
++ ThunarFile *parent = thunar_file_get_parent (file, NULL);
++
++ if (G_LIKELY (parent != NULL))
++ {
++ GList* files = NULL;
++ GtkWidget *window;
++
++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE);
++ g_object_unref (parent);
++
++ files = g_list_append (files, thunar_file_get_file (file));
++ thunar_window_select_files (THUNAR_WINDOW (window), files);
++ g_list_free (files);
++ }
++ }
+
+ /* remove the file from the list */
+ application->files_to_launch = g_list_delete_link (application->files_to_launch,
+diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c
+index b330a87..b234fd3 100644
+--- a/thunar/thunar-window.c
++++ b/thunar/thunar-window.c
+@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow
+ GtkWidget *menu);
+ static void thunar_window_update_help_menu (ThunarWindow *window,
+ GtkWidget *menu);
+-static void thunar_window_select_files (ThunarWindow *window,
+- GList *path_list);
+ static void thunar_window_binding_create (ThunarWindow *window,
+ gpointer src_object,
+ const gchar *src_prop,
+@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget,
+ *
+ * Visually selects the files, given by the list
+ **/
+-static void
++void
+ thunar_window_select_files (ThunarWindow *window,
+ GList *files_to_selected)
+ {
+diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h
+index 9cbcc85..3c1aad2 100644
+--- a/thunar/thunar-window.h
++++ b/thunar/thunar-window.h
+@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu
+ GtkMenu *menu);
+ const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window,
+ ThunarWindowAction action);
++ void thunar_window_select_files (ThunarWindow *window,
++ GList *path_list);
+ G_END_DECLS;
+
+ #endif /* !__THUNAR_WINDOW_H__ */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
new file mode 100644
index 000000000..a22cdc6d8
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
@@ -0,0 +1,208 @@
+From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Fri, 7 May 2021 15:21:27 +0200
+Subject: [PATCH 2/2] Regression: Activating Desktop Icon does not Use Default
+ Application (Issue #575)
+
+- Introduced by 9165a61f (Dont execute files, passed via command line
+due to security risks)
+- Now via DBus files are executed, and via CLI, files are just selected
+
+Fixes #575
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 68 +++++++++++++++++++++---------------
+ thunar/thunar-application.h | 9 ++++-
+ thunar/thunar-dbus-service.c | 2 +-
+ 3 files changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index 1243940..53d0b23 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -182,37 +182,38 @@ struct _ThunarApplicationClass
+
+ struct _ThunarApplication
+ {
+- GtkApplication __parent__;
++ GtkApplication __parent__;
+
+- ThunarSessionClient *session_client;
++ ThunarSessionClient *session_client;
+
+- ThunarPreferences *preferences;
+- GtkWidget *progress_dialog;
++ ThunarPreferences *preferences;
++ GtkWidget *progress_dialog;
+
+- ThunarThumbnailCache *thumbnail_cache;
+- ThunarThumbnailer *thumbnailer;
++ ThunarThumbnailCache *thumbnail_cache;
++ ThunarThumbnailer *thumbnailer;
+
+- ThunarDBusService *dbus_service;
++ ThunarDBusService *dbus_service;
+
+- gboolean daemon;
++ gboolean daemon;
+
+- guint accel_map_save_id;
+- GtkAccelMap *accel_map;
++ guint accel_map_save_id;
++ GtkAccelMap *accel_map;
+
+- guint show_dialogs_timer_id;
++ guint show_dialogs_timer_id;
+
+ #ifdef HAVE_GUDEV
+- GUdevClient *udev_client;
++ GUdevClient *udev_client;
+
+- GSList *volman_udis;
+- guint volman_idle_id;
+- guint volman_watch_id;
++ GSList *volman_udis;
++ guint volman_idle_id;
++ guint volman_watch_id;
+ #endif
+
+- GList *files_to_launch;
++ GList *files_to_launch;
++ ThunarApplicationProcessAction process_file_action;
+
+- guint dbus_owner_id_xfce;
+- guint dbus_owner_id_fdo;
++ guint dbus_owner_id_xfce;
++ guint dbus_owner_id_fdo;
+ };
+
+
+@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application)
+ * in the primary instance anyways */
+
+ application->files_to_launch = NULL;
++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES;
+ application->progress_dialog = NULL;
+ application->preferences = NULL;
+
+@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (filenames != NULL)
+ {
+- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (!daemon)
+ {
+- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- if (thunar_file_is_directory (file))
++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES)
++ {
++ /* try to launch the file / open the directory */
++ thunar_file_launch (target_file, screen, startup_id, &error);
++ }
++ else if (thunar_file_is_directory (file))
+ {
+ thunar_application_open_window (application, file, screen, startup_id, FALSE);
+ }
+@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application)
+ * @startup_id : startup id to finish startup notification and properly focus the
+ * window when focus stealing is enabled or %NULL.
+ * @error : return location for errors or %NULL.
++ * @action : action to invoke on the files
+ *
+ * Tells @application to process the given @filenames and launch them appropriately.
+ *
+ * Return value: %TRUE on success, %FALSE if @error is set.
+ **/
+ gboolean
+-thunar_application_process_filenames (ThunarApplication *application,
+- const gchar *working_directory,
+- gchar **filenames,
+- GdkScreen *screen,
+- const gchar *startup_id,
+- GError **error)
++thunar_application_process_filenames (ThunarApplication *application,
++ const gchar *working_directory,
++ gchar **filenames,
++ GdkScreen *screen,
++ const gchar *startup_id,
++ GError **error,
++ ThunarApplicationProcessAction action)
+ {
+ ThunarFile *file;
+ GError *derror = NULL;
+@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application,
+
+ /* start processing files if we have any to launch */
+ if (application->files_to_launch != NULL)
+- thunar_application_process_files (application);
++ {
++ application->process_file_action = action;
++ thunar_application_process_files (application);
++ }
+
+ /* free the file list */
+ g_list_free (file_list);
+diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h
+index 547cb70..8c180e8 100644
+--- a/thunar/thunar-application.h
++++ b/thunar/thunar-application.h
+@@ -31,6 +31,12 @@ G_BEGIN_DECLS;
+ typedef struct _ThunarApplicationClass ThunarApplicationClass;
+ typedef struct _ThunarApplication ThunarApplication;
+
++typedef enum
++{
++ THUNAR_APPLICATION_LAUNCH_FILES,
++ THUNAR_APPLICATION_SELECT_FILES
++} ThunarApplicationProcessAction;
++
+ #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ())
+ #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication))
+ #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass))
+@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli
+ gchar **filenames,
+ GdkScreen *screen,
+ const gchar *startup_id,
+- GError **error);
++ GError **error,
++ ThunarApplicationProcessAction action);
+
+ void thunar_application_rename_file (ThunarApplication *application,
+ ThunarFile *file,
+diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c
+index 2d27642..4205a2b 100644
+--- a/thunar/thunar-dbus-service.c
++++ b/thunar/thunar-dbus-service.c
+@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object,
+ {
+ /* let the application process the filenames */
+ application = thunar_application_get ();
+- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error);
++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES);
+ g_object_unref (G_OBJECT (application));
+
+ /* release the screen */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
index 128043d19..7bef08ed9 100644
--- a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
+++ b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
@@ -8,6 +8,10 @@ inherit xfce gobject-introspection features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
+SRC_URI += "file://CVE-2021-32563-1.patch \
+ file://CVE-2021-32563-2.patch \
+ "
+
SRC_URI[sha256sum] = "cb531d3fe67196a43ca04979ef271ece7858bbc80c15b0ee4323c1252a1a02b7"
PACKAGECONFIG ??= ""
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-05-25 18:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-25 18:24 [PATCH] thunar: fix CVE-2021-32563 Stefan Ghinea
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.