* [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062
@ 2022-12-06 16:00 Archana Polampalli
2022-12-07 18:30 ` akuster808
2022-12-08 7:15 ` Polampalli, Archana
0 siblings, 2 replies; 7+ messages in thread
From: Archana Polampalli @ 2022-12-06 16:00 UTC (permalink / raw)
To: openembedded-devel; +Cc: Hari.GPillai, narpat.mali, Archana Polampalli
Escape characters which do not belong into an URI/URL
In order to prevent argument injection in Xfce xfce4-settings
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062
Upstream Status: Backport from
https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
.../xfce4-settings/files/CVE-2022-45062.patch | 83 +++++++++++++++++++
.../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
2 files changed, 85 insertions(+), 1 deletion(-)
create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..5384617d5
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
@@ -0,0 +1,83 @@
+commit 55e3c5fb667e96ad1412cf249879262b369d28d7
+Author: Alexander Schwinn <alexxcons@xfce.org>
+Date: Mon Nov 7 09:56:31 2022 +0100
+
+ Escape characters which do not belong into an URI/URL (Issue #390)
+
+ In order to prevent argument injection
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b797e03b 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -415,7 +415,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ gint status;
+ gint result;
+ gint pid;
+- const gchar *real_parameter = parameter;
++ gchar *real_parameter = NULL;
+
+ // FIXME: startup-notification
+
+@@ -427,23 +427,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ if (G_UNLIKELY (screen == NULL))
+ screen = gdk_screen_get_default ();
+
+- /* strip the mailto part if needed */
+- if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:"))
+- real_parameter = parameter + 7;
++ if (parameter != NULL)
++ {
++ if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER)
++ {
++ /* escape characters which do not belong into an URI/URL */
++ real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE);
++ }
++ else if (g_str_has_prefix (real_parameter, "mailto:"))
++ {
++ /* strip the mailto part if needed */
++ real_parameter = g_strdup (parameter + 7);
++ }
++ else
++ {
++ real_parameter = g_strdup (parameter);
++ }
++ }
+
+ /* determine the command set to use */
+- if (exo_str_is_flag (real_parameter)) {
+- commands = helper->commands_with_flag;
+- } else if (exo_str_is_empty (real_parameter)) {
+- commands = helper->commands;
+- } else {
+- commands = helper->commands_with_parameter;
+- }
++ if (exo_str_is_flag (real_parameter))
++ {
++ commands = helper->commands_with_flag;
++ }
++ else if (exo_str_is_empty (real_parameter))
++ {
++ commands = helper->commands;
++ }
++ else
++ {
++ commands = helper->commands_with_parameter;
++ }
+
+ /* verify that we have atleast one command */
+ if (G_UNLIKELY (*commands == NULL))
+ {
+ g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified"));
++ g_free (real_parameter);
+ return FALSE;
+ }
+
+@@ -533,6 +553,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ if (G_UNLIKELY (!succeed))
+ g_propagate_error (error, err);
+
++ g_free (real_parameter);
+ return succeed;
+ }
+
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+ file://CVE-2022-45062.patch"
SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062
2022-12-06 16:00 [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062 Archana Polampalli
@ 2022-12-07 18:30 ` akuster808
2022-12-08 7:15 ` Polampalli, Archana
1 sibling, 0 replies; 7+ messages in thread
From: akuster808 @ 2022-12-07 18:30 UTC (permalink / raw)
To: Polampalli, Archana, openembedded-devel; +Cc: Hari.GPillai, narpat.mali
On 12/6/22 11:00 AM, Polampalli, Archana wrote:
> Escape characters which do not belong into an URI/URL
> In order to prevent argument injection in Xfce xfce4-settings
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2022-45062
>
> Upstream Status: Backport from
> https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7
>
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ---
> .../xfce4-settings/files/CVE-2022-45062.patch | 83 +++++++++++++++++++
> .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
> 2 files changed, 85 insertions(+), 1 deletion(-)
> create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
>
> diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
> new file mode 100644
> index 000000000..5384617d5
> --- /dev/null
> +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
This patch itself is missing the standard patch information like;
Upstream-Status:
CVE:
Signed-off-by:
For additional information:
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
- armin
> @@ -0,0 +1,83 @@
> +commit 55e3c5fb667e96ad1412cf249879262b369d28d7
> +Author: Alexander Schwinn <alexxcons@xfce.org>
> +Date: Mon Nov 7 09:56:31 2022 +0100
> +
> + Escape characters which do not belong into an URI/URL (Issue #390)
> +
> + In order to prevent argument injection
> +
> +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
> +index 7149951f..b797e03b 100644
> +--- a/dialogs/mime-settings/xfce-mime-helper.c
> ++++ b/dialogs/mime-settings/xfce-mime-helper.c
> +@@ -415,7 +415,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
> + gint status;
> + gint result;
> + gint pid;
> +- const gchar *real_parameter = parameter;
> ++ gchar *real_parameter = NULL;
> +
> + // FIXME: startup-notification
> +
> +@@ -427,23 +427,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
> + if (G_UNLIKELY (screen == NULL))
> + screen = gdk_screen_get_default ();
> +
> +- /* strip the mailto part if needed */
> +- if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:"))
> +- real_parameter = parameter + 7;
> ++ if (parameter != NULL)
> ++ {
> ++ if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER)
> ++ {
> ++ /* escape characters which do not belong into an URI/URL */
> ++ real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE);
> ++ }
> ++ else if (g_str_has_prefix (real_parameter, "mailto:"))
> ++ {
> ++ /* strip the mailto part if needed */
> ++ real_parameter = g_strdup (parameter + 7);
> ++ }
> ++ else
> ++ {
> ++ real_parameter = g_strdup (parameter);
> ++ }
> ++ }
> +
> + /* determine the command set to use */
> +- if (exo_str_is_flag (real_parameter)) {
> +- commands = helper->commands_with_flag;
> +- } else if (exo_str_is_empty (real_parameter)) {
> +- commands = helper->commands;
> +- } else {
> +- commands = helper->commands_with_parameter;
> +- }
> ++ if (exo_str_is_flag (real_parameter))
> ++ {
> ++ commands = helper->commands_with_flag;
> ++ }
> ++ else if (exo_str_is_empty (real_parameter))
> ++ {
> ++ commands = helper->commands;
> ++ }
> ++ else
> ++ {
> ++ commands = helper->commands_with_parameter;
> ++ }
> +
> + /* verify that we have atleast one command */
> + if (G_UNLIKELY (*commands == NULL))
> + {
> + g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified"));
> ++ g_free (real_parameter);
> + return FALSE;
> + }
> +
> +@@ -533,6 +553,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
> + if (G_UNLIKELY (!succeed))
> + g_propagate_error (error, err);
> +
> ++ g_free (real_parameter);
> + return succeed;
> + }
> +
> diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
> index aa4265f7b..6757c48f4 100644
> --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
> +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
> @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
>
> REQUIRED_DISTRO_FEATURES = "x11"
>
> -SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
> +SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
> + file://CVE-2022-45062.patch"
> SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
>
> EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#99959): https://lists.openembedded.org/g/openembedded-devel/message/99959
> Mute This Topic: https://lists.openembedded.org/mt/95495939/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062
2022-12-06 16:00 [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062 Archana Polampalli
2022-12-07 18:30 ` akuster808
@ 2022-12-08 7:15 ` Polampalli, Archana
1 sibling, 0 replies; 7+ messages in thread
From: Polampalli, Archana @ 2022-12-08 7:15 UTC (permalink / raw)
To: openembedded-devel; +Cc: G Pillai, Hari, Mali, Narpat
[-- Attachment #1: Type: text/plain, Size: 5024 bytes --]
Please ignore this mail,
Regards,
Archana
________________________________
From: Archana Polampalli <archana.polampalli@windriver.com>
Sent: Tuesday, December 6, 2022 9:30 PM
To: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
Cc: G Pillai, Hari <Hari.GPillai@windriver.com>; Mali, Narpat <Narpat.Mali@windriver.com>; Polampalli, Archana <Archana.Polampalli@windriver.com>
Subject: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062
Escape characters which do not belong into an URI/URL
In order to prevent argument injection in Xfce xfce4-settings
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062
Upstream Status: Backport from
https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
.../xfce4-settings/files/CVE-2022-45062.patch | 83 +++++++++++++++++++
.../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
2 files changed, 85 insertions(+), 1 deletion(-)
create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..5384617d5
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
@@ -0,0 +1,83 @@
+commit 55e3c5fb667e96ad1412cf249879262b369d28d7
+Author: Alexander Schwinn <alexxcons@xfce.org>
+Date: Mon Nov 7 09:56:31 2022 +0100
+
+ Escape characters which do not belong into an URI/URL (Issue #390)
+
+ In order to prevent argument injection
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b797e03b 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -415,7 +415,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ gint status;
+ gint result;
+ gint pid;
+- const gchar *real_parameter = parameter;
++ gchar *real_parameter = NULL;
+
+ // FIXME: startup-notification
+
+@@ -427,23 +427,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ if (G_UNLIKELY (screen == NULL))
+ screen = gdk_screen_get_default ();
+
+- /* strip the mailto part if needed */
+- if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:"))
+- real_parameter = parameter + 7;
++ if (parameter != NULL)
++ {
++ if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER)
++ {
++ /* escape characters which do not belong into an URI/URL */
++ real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE);
++ }
++ else if (g_str_has_prefix (real_parameter, "mailto:"))
++ {
++ /* strip the mailto part if needed */
++ real_parameter = g_strdup (parameter + 7);
++ }
++ else
++ {
++ real_parameter = g_strdup (parameter);
++ }
++ }
+
+ /* determine the command set to use */
+- if (exo_str_is_flag (real_parameter)) {
+- commands = helper->commands_with_flag;
+- } else if (exo_str_is_empty (real_parameter)) {
+- commands = helper->commands;
+- } else {
+- commands = helper->commands_with_parameter;
+- }
++ if (exo_str_is_flag (real_parameter))
++ {
++ commands = helper->commands_with_flag;
++ }
++ else if (exo_str_is_empty (real_parameter))
++ {
++ commands = helper->commands;
++ }
++ else
++ {
++ commands = helper->commands_with_parameter;
++ }
+
+ /* verify that we have atleast one command */
+ if (G_UNLIKELY (*commands == NULL))
+ {
+ g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified"));
++ g_free (real_parameter);
+ return FALSE;
+ }
+
+@@ -533,6 +553,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ if (G_UNLIKELY (!succeed))
+ g_propagate_error (error, err);
+
++ g_free (real_parameter);
+ return succeed;
+ }
+
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+ file://CVE-2022-45062.patch"
SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
--
2.34.1
[-- Attachment #2: Type: text/html, Size: 8937 bytes --]
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062
2022-12-12 19:29 ` Randy MacLeod
@ 2022-12-13 6:36 ` Polampalli, Archana
0 siblings, 0 replies; 7+ messages in thread
From: Polampalli, Archana @ 2022-12-13 6:36 UTC (permalink / raw)
To: MacLeod, Randy, openembedded-devel, Armin Kuster
[-- Attachment #1: Type: text/plain, Size: 8986 bytes --]
Will update to xfce4-settings-4.16.5 and will send patch
Regards,
Archana
________________________________
From: MacLeod, Randy <Randy.MacLeod@windriver.com>
Sent: Tuesday, December 13, 2022 12:59 AM
To: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>; Polampalli, Archana <Archana.Polampalli@windriver.com>; Armin Kuster <akuster808@gmail.com>
Subject: Re: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062
On 2022-12-08 02:03, Polampalli, Archana via lists.openembedded.org wrote:
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an
argument injection vulnerability in xfce4-mime-helper.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062
https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390
Upstream-Status: Backport [https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049]
CVE: CVE-2022-45062
Hi Archana,
Please update to: xfce4-settings-4.16.5 as was done on master:
commit 83eb9464882752e00746c1da8e3c52f4fc06bbde Author: Kai Kang <kai.kang@windriver.com><mailto:kai.kang@windriver.com> Date: Wed Nov 23 01:59:13 2022 xfce4-settings: 4.16.3 -> 4.16.5 It fixes CVE-2022-45062 in xfce4-settings 4.16.5. CVE: CVE-2022-45062 Signed-off-by: Kai Kang <kai.kang@windriver.com><mailto:kai.kang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com><mailto:raj.khem@gmail.com>
?
$ git tag --contains f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 xfce4-settings-4.16.5 $ git branch -a --contains f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 remotes/origin/xfce-4.16
An update to the latest 4.16.x stable release will pick that commit up:
$ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5 | rg f1cb5 f1cb5bda mime-settings: Properly quote command parameters
Also the update seems sensible in that it's only bug fixes and translation updates.
$ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5
83ea11cf (tag: xfce4-settings-4.16.5) Updates for release
f1cb5bda mime-settings: Properly quote command parameters
f7707d8b Revert "Escape characters which do not belong into an URI/URL (Issue #390)"
b532324f Back to development
b9729c85 (tag: xfce4-settings-4.16.4) Updates for release
55e3c5fb Escape characters which do not belong into an URI/URL (Issue #390)
7489b73f I18n: Update translation pt (100%).
d314651f I18n: Update translation ja (100%).
51a8327d I18n: Update translation ru (100%).
42aa66d0 I18n: Update translation ru (100%).
341443f8 Prefer full command when basic command is env (Fixes #358)
8d4106b3 Back to development
024399b1 (tag: xfce4-settings-4.16.3) Updates for release
af601e32 build: Fix intltool lock file problem during make distcheck
0875cfba xfsettingsd: Fix recursive lock in libX11 (Fixes #369)
9195b3bd I18n: Update translation el (98%).
bfbe5173 I18n: Update translation el (98%).
222f2d1d I18n: Update translation el (98%).
dbfd87e5 I18n: Update translation el (98%).
4e7af67d I18n: Update translation en_GB (100%).
2ddf22e0 I18n: Update translation el (98%).
48e206d2 I18n: Update translation el (98%).
448f39ec I18n: Update translation el (98%).
127feac8 I18n: Update translation el (94%).
f82ba7dd I18n: Update translation en_GB (99%).
0654def5 I18n: Update translation en_GB (89%).
8cb73fd5 I18n: Update translation ko (99%).
22d9b99d I18n: Update translation en_CA (96%).
f30b6393 I18n: Update translation sv (100%).
2270d3e3 I18n: Update translation sv (100%).
066891c3 I18n: Update translation ko (97%).
08e417b2 I18n: Update translation ro (83%).
5900ff21 I18n: Update translation oc (100%).
dd3de2c9 I18n: Update translation oc (93%).
b220fdc3 I18n: Update translation et (100%).
842986a0 I18n: Update translation oc (88%).
80aac3e8 I18n: Update translation ms (100%).
c9329f00 I18n: Update translation et (99%).
09af4cc7 I18n: Update translation kk (100%).
77bcf8c5 I18n: Update translation id (100%).
1fc2d34a I18n: Update translation hy_AM (99%).
d84f3fdc I18n: Update translation pl (100%).
90b8f2e1 I18n: Update translation gl (100%).
4611d543 I18n: Update translation ca (100%).
c1ee5b28 I18n: Update translation lt (100%).
33a6052e I18n: Update translation be (100%).
a23c5fc5 I18n: Update translation et (98%).
20d866dc Back to development
Armin, or anyone else, any concerns?
../Randy
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com><mailto:archana.polampalli@windriver.com>
---
.../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++
.../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
2 files changed, 60 insertions(+), 1 deletion(-)
create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..1e999a7c6
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
@@ -0,0 +1,58 @@
+commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
+Author: Gaël Bonithon <gael@xfce.org><mailto:gael@xfce.org>
+Date: Sat Nov 12 22:27:36 2022 +0100
+
+ mime-settings: Properly quote command parameters
+
+ Fixes: #390
+ MR: !85
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b2d8e50d 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ /* reset the error */
+ g_clear_error (&err);
+
++ /* prepare the command */
++ if (exo_str_is_empty (real_parameter))
++ command = g_strdup (commands[n]);
++ else
++ {
++ /* split command into "quoted"/unquoted parts */
++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
++
++ /* walk the part array */
++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
++ {
++ /* quoted part: unquote it, replace %s and re-quote it properly */
++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
++ {
++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
++ gchar *quoted = g_shell_quote (filled);
++ g_free (filled);
++ g_free (unquoted);
++ g_free (*cmd_part);
++ *cmd_part = quoted;
++ }
++ /* unquoted part: just replace %s */
++ else
++ {
++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
++ g_free (*cmd_part);
++ *cmd_part = filled;
++ }
++ }
++
++ /* join parts to reconstitute the command, filled and quoted */
++ command = g_strjoinv (NULL, cmd_parts);
++ g_strfreev (cmd_parts);
++ }
++
+ /* parse the command */
+- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
+ succeed = g_shell_parse_argv (command, NULL, &argv, &err);
+ g_free (command);
+
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"<file://0001-xsettings.xml-Set-default-themes.patch>
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+ file://CVE-2022-45062.patch"<file://0001-xsettings.xml-Set-default-themes.patch\+file://CVE-2022-45062.patch>
SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#99991): https://lists.openembedded.org/g/openembedded-devel/message/99991
Mute This Topic: https://lists.openembedded.org/mt/95517736/3616765
Group Owner: openembedded-devel+owner@lists.openembedded.org<mailto:openembedded-devel+owner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>]
-=-=-=-=-=-=-=-=-=-=-=-
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 15079 bytes --]
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062
2022-12-08 7:03 Archana Polampalli
@ 2022-12-12 19:29 ` Randy MacLeod
2022-12-13 6:36 ` Polampalli, Archana
0 siblings, 1 reply; 7+ messages in thread
From: Randy MacLeod @ 2022-12-12 19:29 UTC (permalink / raw)
To: openembedded-devel, Polampalli, Archana, Armin Kuster
[-- Attachment #1: Type: text/plain, Size: 8336 bytes --]
On 2022-12-08 02:03, Polampalli, Archana via lists.openembedded.org wrote:
> In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an
> argument injection vulnerability in xfce4-mime-helper.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2022-45062
> https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390
>
> Upstream-Status: Backport [https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049]
>
> CVE: CVE-2022-45062
Hi Archana,
Please update to: xfce4-settings-4.16.5 as was done on master:
commit 83eb9464882752e00746c1da8e3c52f4fc06bbde Author: Kai Kang
<kai.kang@windriver.com> Date: Wed Nov 23 01:59:13 2022 xfce4-settings:
4.16.3 -> 4.16.5 It fixes CVE-2022-45062 in xfce4-settings 4.16.5. CVE:
CVE-2022-45062 Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
?
$ git tag --contains f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
xfce4-settings-4.16.5 $ git branch -a --contains
f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 remotes/origin/xfce-4.16
An update to the latest 4.16.x stable release will pick that commit up:
$ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5 | rg
f1cb5 f1cb5bda mime-settings: Properly quote command parameters
Also the update seems sensible in that it's only bug fixes and
translation updates.
$ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5
83ea11cf (tag: xfce4-settings-4.16.5) Updates for release
f1cb5bda mime-settings: Properly quote command parameters
f7707d8b Revert "Escape characters which do not belong into an URI/URL
(Issue #390)"
b532324f Back to development
b9729c85 (tag: xfce4-settings-4.16.4) Updates for release
55e3c5fb Escape characters which do not belong into an URI/URL (Issue #390)
7489b73f I18n: Update translation pt (100%).
d314651f I18n: Update translation ja (100%).
51a8327d I18n: Update translation ru (100%).
42aa66d0 I18n: Update translation ru (100%).
341443f8 Prefer full command when basic command is env (Fixes #358)
8d4106b3 Back to development
024399b1 (tag: xfce4-settings-4.16.3) Updates for release
af601e32 build: Fix intltool lock file problem during make distcheck
0875cfba xfsettingsd: Fix recursive lock in libX11 (Fixes #369)
9195b3bd I18n: Update translation el (98%).
bfbe5173 I18n: Update translation el (98%).
222f2d1d I18n: Update translation el (98%).
dbfd87e5 I18n: Update translation el (98%).
4e7af67d I18n: Update translation en_GB (100%).
2ddf22e0 I18n: Update translation el (98%).
48e206d2 I18n: Update translation el (98%).
448f39ec I18n: Update translation el (98%).
127feac8 I18n: Update translation el (94%).
f82ba7dd I18n: Update translation en_GB (99%).
0654def5 I18n: Update translation en_GB (89%).
8cb73fd5 I18n: Update translation ko (99%).
22d9b99d I18n: Update translation en_CA (96%).
f30b6393 I18n: Update translation sv (100%).
2270d3e3 I18n: Update translation sv (100%).
066891c3 I18n: Update translation ko (97%).
08e417b2 I18n: Update translation ro (83%).
5900ff21 I18n: Update translation oc (100%).
dd3de2c9 I18n: Update translation oc (93%).
b220fdc3 I18n: Update translation et (100%).
842986a0 I18n: Update translation oc (88%).
80aac3e8 I18n: Update translation ms (100%).
c9329f00 I18n: Update translation et (99%).
09af4cc7 I18n: Update translation kk (100%).
77bcf8c5 I18n: Update translation id (100%).
1fc2d34a I18n: Update translation hy_AM (99%).
d84f3fdc I18n: Update translation pl (100%).
90b8f2e1 I18n: Update translation gl (100%).
4611d543 I18n: Update translation ca (100%).
c1ee5b28 I18n: Update translation lt (100%).
33a6052e I18n: Update translation be (100%).
a23c5fc5 I18n: Update translation et (98%).
20d866dc Back to development
Armin, or anyone else, any concerns?
../Randy
>
> Signed-off-by: Archana Polampalli<archana.polampalli@windriver.com>
> ---
> .../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++
> .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
> 2 files changed, 60 insertions(+), 1 deletion(-)
> create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
>
> diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
> new file mode 100644
> index 000000000..1e999a7c6
> --- /dev/null
> +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
> @@ -0,0 +1,58 @@
> +commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
> +Author: Gaël Bonithon<gael@xfce.org>
> +Date: Sat Nov 12 22:27:36 2022 +0100
> +
> + mime-settings: Properly quote command parameters
> +
> + Fixes: #390
> + MR: !85
> +
> +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
> +index 7149951f..b2d8e50d 100644
> +--- a/dialogs/mime-settings/xfce-mime-helper.c
> ++++ b/dialogs/mime-settings/xfce-mime-helper.c
> +@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
> + /* reset the error */
> + g_clear_error (&err);
> +
> ++ /* prepare the command */
> ++ if (exo_str_is_empty (real_parameter))
> ++ command = g_strdup (commands[n]);
> ++ else
> ++ {
> ++ /* split command into "quoted"/unquoted parts */
> ++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
> ++
> ++ /* walk the part array */
> ++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
> ++ {
> ++ /* quoted part: unquote it, replace %s and re-quote it properly */
> ++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
> ++ {
> ++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
> ++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
> ++ gchar *quoted = g_shell_quote (filled);
> ++ g_free (filled);
> ++ g_free (unquoted);
> ++ g_free (*cmd_part);
> ++ *cmd_part = quoted;
> ++ }
> ++ /* unquoted part: just replace %s */
> ++ else
> ++ {
> ++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
> ++ g_free (*cmd_part);
> ++ *cmd_part = filled;
> ++ }
> ++ }
> ++
> ++ /* join parts to reconstitute the command, filled and quoted */
> ++ command = g_strjoinv (NULL, cmd_parts);
> ++ g_strfreev (cmd_parts);
> ++ }
> ++
> + /* parse the command */
> +- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
> + succeed = g_shell_parse_argv (command, NULL, &argv, &err);
> + g_free (command);
> +
> diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
> index aa4265f7b..6757c48f4 100644
> --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
> +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
> @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
>
> REQUIRED_DISTRO_FEATURES = "x11"
>
> -SRC_URI +="file://0001-xsettings.xml-Set-default-themes.patch"
> +SRC_URI +="file://0001-xsettings.xml-Set-default-themes.patch \ +
> file://CVE-2022-45062.patch"
> SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
>
> EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#99991):https://lists.openembedded.org/g/openembedded-devel/message/99991
> Mute This Topic:https://lists.openembedded.org/mt/95517736/3616765
> Group Owner:openembedded-devel+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-devel/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 12562 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062
@ 2022-12-08 7:03 Archana Polampalli
2022-12-12 19:29 ` Randy MacLeod
0 siblings, 1 reply; 7+ messages in thread
From: Archana Polampalli @ 2022-12-08 7:03 UTC (permalink / raw)
To: openembedded-devel
Cc: changqing.li, hari.gpillai, akuster808, Archana Polampalli
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="y", Size: 4236 bytes --]
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an
argument injection vulnerability in xfce4-mime-helper.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062
https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390
Upstream-Status: Backport [https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049]
CVE: CVE-2022-45062
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
.../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++
.../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
2 files changed, 60 insertions(+), 1 deletion(-)
create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..1e999a7c6
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
@@ -0,0 +1,58 @@
+commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
+Author: Gaël Bonithon <gael@xfce.org>
+Date: Sat Nov 12 22:27:36 2022 +0100
+
+ mime-settings: Properly quote command parameters
+
+ Fixes: #390
+ MR: !85
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b2d8e50d 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ /* reset the error */
+ g_clear_error (&err);
+
++ /* prepare the command */
++ if (exo_str_is_empty (real_parameter))
++ command = g_strdup (commands[n]);
++ else
++ {
++ /* split command into "quoted"/unquoted parts */
++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
++
++ /* walk the part array */
++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
++ {
++ /* quoted part: unquote it, replace %s and re-quote it properly */
++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
++ {
++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
++ gchar *quoted = g_shell_quote (filled);
++ g_free (filled);
++ g_free (unquoted);
++ g_free (*cmd_part);
++ *cmd_part = quoted;
++ }
++ /* unquoted part: just replace %s */
++ else
++ {
++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
++ g_free (*cmd_part);
++ *cmd_part = filled;
++ }
++ }
++
++ /* join parts to reconstitute the command, filled and quoted */
++ command = g_strjoinv (NULL, cmd_parts);
++ g_strfreev (cmd_parts);
++ }
++
+ /* parse the command */
+- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
+ succeed = g_shell_parse_argv (command, NULL, &argv, &err);
+ g_free (command);
+
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+ file://CVE-2022-45062.patch"
SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062
@ 2022-12-07 15:41 Archana Polampalli
0 siblings, 0 replies; 7+ messages in thread
From: Archana Polampalli @ 2022-12-07 15:41 UTC (permalink / raw)
To: openembedded-devel; +Cc: Archana Polampalli
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="y", Size: 4217 bytes --]
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an
argument injection vulnerability in xfce4-mime-helper.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062
https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390
Upstream Status: Backport from
https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
.../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++
.../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +-
2 files changed, 60 insertions(+), 1 deletion(-)
create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..1e999a7c6
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
@@ -0,0 +1,58 @@
+commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
+Author: Gaël Bonithon <gael@xfce.org>
+Date: Sat Nov 12 22:27:36 2022 +0100
+
+ mime-settings: Properly quote command parameters
+
+ Fixes: #390
+ MR: !85
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b2d8e50d 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ /* reset the error */
+ g_clear_error (&err);
+
++ /* prepare the command */
++ if (exo_str_is_empty (real_parameter))
++ command = g_strdup (commands[n]);
++ else
++ {
++ /* split command into "quoted"/unquoted parts */
++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
++
++ /* walk the part array */
++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
++ {
++ /* quoted part: unquote it, replace %s and re-quote it properly */
++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
++ {
++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
++ gchar *quoted = g_shell_quote (filled);
++ g_free (filled);
++ g_free (unquoted);
++ g_free (*cmd_part);
++ *cmd_part = quoted;
++ }
++ /* unquoted part: just replace %s */
++ else
++ {
++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
++ g_free (*cmd_part);
++ *cmd_part = filled;
++ }
++ }
++
++ /* join parts to reconstitute the command, filled and quoted */
++ command = g_strjoinv (NULL, cmd_parts);
++ g_strfreev (cmd_parts);
++ }
++
+ /* parse the command */
+- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
+ succeed = g_shell_parse_argv (command, NULL, &argv, &err);
+ g_free (command);
+
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+ file://CVE-2022-45062.patch"
SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-12-13 6:37 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-06 16:00 [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062 Archana Polampalli
2022-12-07 18:30 ` akuster808
2022-12-08 7:15 ` Polampalli, Archana
2022-12-07 15:41 [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062 Archana Polampalli
2022-12-08 7:03 Archana Polampalli
2022-12-12 19:29 ` Randy MacLeod
2022-12-13 6:36 ` Polampalli, Archana
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.