Re: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: Fix CVE-2022-45062

Wed, 07 Dec 2022 10:31:00 -0800 


On 12/6/22 11:00 AM, Polampalli, Archana wrote:

Escape characters which do not belong into an URI/URL
In order to prevent argument injection in Xfce xfce4-settings

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062

Upstream Status: Backport from
https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7

Signed-off-by: Archana Polampalli <[email protected]>
---
  .../xfce4-settings/files/CVE-2022-45062.patch | 83 +++++++++++++++++++
  .../xfce4-settings/xfce4-settings_4.16.2.bb   |  3 +-
  2 files changed, 85 insertions(+), 1 deletion(-)
  create mode 100644 
meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch

diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch 
b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..5384617d5
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch


This patch itself is missing the standard patch information like;

Upstream-Status:
CVE:
Signed-off-by:


For additional information: 
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines


- armin

@@ -0,0 +1,83 @@
+commit 55e3c5fb667e96ad1412cf249879262b369d28d7
+Author: Alexander Schwinn <[email protected]>
+Date:   Mon Nov 7 09:56:31 2022 +0100
+
+    Escape characters which do not belong into an URI/URL (Issue #390)
+
+    In order to prevent argument injection
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c 
b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b797e03b 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -415,7 +415,7 @@ xfce_mime_helper_execute (XfceMimeHelper   *helper,
+   gint          status;
+   gint          result;
+   gint          pid;
+-  const gchar  *real_parameter = parameter;
++  gchar        *real_parameter = NULL;
+
+   // FIXME: startup-notification
+
+@@ -427,23 +427,43 @@ xfce_mime_helper_execute (XfceMimeHelper   *helper,
+   if (G_UNLIKELY (screen == NULL))
+     screen = gdk_screen_get_default ();
+
+-  /* strip the mailto part if needed */
+-  if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:";))
+-    real_parameter = parameter + 7;
++  if (parameter != NULL)
++    {
++      if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category 
== XFCE_MIME_HELPER_FILEMANAGER)
++        {
++          /* escape characters which do not belong into an URI/URL */
++          real_parameter = g_uri_escape_string (parameter, 
":/?#[]@!$&'()*+,;=%", TRUE);
++        }
++      else if (g_str_has_prefix (real_parameter, "mailto:";))
++        {
++          /* strip the mailto part if needed */
++          real_parameter = g_strdup (parameter + 7);
++        }
++      else
++        {
++          real_parameter = g_strdup (parameter);
++        }
++    }
+
+   /* determine the command set to use */
+-  if (exo_str_is_flag (real_parameter)) {
+-    commands = helper->commands_with_flag;
+-  } else if (exo_str_is_empty (real_parameter)) {
+-    commands = helper->commands;
+-  } else {
+-    commands = helper->commands_with_parameter;
+-  }
++  if (exo_str_is_flag (real_parameter))
++    {
++      commands = helper->commands_with_flag;
++    }
++  else if (exo_str_is_empty (real_parameter))
++    {
++      commands = helper->commands;
++    }
++  else
++    {
++      commands = helper->commands_with_parameter;
++    }
+
+   /* verify that we have atleast one command */
+   if (G_UNLIKELY (*commands == NULL))
+     {
+       g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command 
specified"));
++      g_free (real_parameter);
+       return FALSE;
+     }
+
+@@ -533,6 +553,7 @@ xfce_mime_helper_execute (XfceMimeHelper   *helper,
+   if (G_UNLIKELY (!succeed))
+     g_propagate_error (error, err);
+
++  g_free (real_parameter);
+   return succeed;
+ }
+
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb 
b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg

  
  REQUIRED_DISTRO_FEATURES = "x11"
  
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"

+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+            file://CVE-2022-45062.patch"
  SRC_URI[sha256sum] = 
"4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"

  
  EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"







-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#99981): 
https://lists.openembedded.org/g/openembedded-devel/message/99981
Mute This Topic: https://lists.openembedded.org/mt/95495939/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to