[meta-oe,kirkstone,1/1] xfce4-settings: fix CVE-2022-45062

Message ID	20221207154143.3623331-1-archana.polampalli@windriver.com
State	New
Headers	show Return-Path: <archana.polampalli@windriver.com> ip: 205.220.166.238, mailfrom: prvs=9340273a0e=archana.polampalli@windriver.com) From: Archana Polampalli <archana.polampalli@windriver.com> To: <openembedded-devel@lists.openembedded.org> CC: Archana Polampalli <archana.polampalli@windriver.com> Subject: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix CVE-2022-45062 Date: Wed, 7 Dec 2022 23:41:43 +0800 Message-ID: <20221207154143.3623331-1-archana.polampalli@windriver.com> MIME-Version: 1.0 Content-Type: text/plain; charset="y" Content-Transfer-Encoding: quoted-printable
Series	[meta-oe,kirkstone,1/1] xfce4-settings: fix CVE-2022-45062 \| expand [meta-oe,kirkstone,1/1] xfce4-settings: fix CVE-2022-45062

Message ID

20221207154143.3623331-1-archana.polampalli@windriver.com

State

New

Headers

From: Archana Polampalli <archana.polampalli@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
CC: Archana Polampalli <archana.polampalli@windriver.com>
Subject: [oe][meta-oe][kirkstone][PATCH 1/1] xfce4-settings: fix
 CVE-2022-45062
Date: Wed, 7 Dec 2022 23:41:43 +0800
Message-ID: <20221207154143.3623331-1-archana.polampalli@windriver.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="y"
Content-Transfer-Encoding: quoted-printable

Series

[meta-oe,kirkstone,1/1] xfce4-settings: fix CVE-2022-45062 | expand

Commit Message

Polampalli, Archana Dec. 7, 2022, 3:41 p.m. UTC

In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an
argument injection vulnerability in xfce4-mime-helper.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45062
https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390

Upstream Status: Backport from
https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++
 .../xfce4-settings/xfce4-settings_4.16.2.bb   |  3 +-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch

diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
new file mode 100644
index 000000000..1e999a7c6
--- /dev/null
+++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch
@@ -0,0 +1,58 @@ 
+commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
+Author: Gaël Bonithon <gael@xfce.org>
+Date:   Sat Nov 12 22:27:36 2022 +0100
+
+    mime-settings: Properly quote command parameters
+    
+    Fixes: #390
+    MR: !85
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b2d8e50d 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper   *helper,
+       /* reset the error */
+       g_clear_error (&err);
+ 
++      /* prepare the command */
++      if (exo_str_is_empty (real_parameter))
++        command = g_strdup (commands[n]);
++      else
++        {
++          /* split command into "quoted"/unquoted parts */
++          gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
++
++          /* walk the part array */
++          for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
++            {
++              /* quoted part: unquote it, replace %s and re-quote it properly */
++              if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
++                {
++                  gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
++                  gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
++                  gchar *quoted = g_shell_quote (filled);
++                  g_free (filled);
++                  g_free (unquoted);
++                  g_free (*cmd_part);
++                  *cmd_part = quoted;
++                }
++              /* unquoted part: just replace %s */
++              else
++                {
++                  gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
++                  g_free (*cmd_part);
++                  *cmd_part = filled;
++                }
++            }
++
++          /* join parts to reconstitute the command, filled and quoted */
++          command = g_strjoinv (NULL, cmd_parts);
++          g_strfreev (cmd_parts);
++        }
++
+       /* parse the command */
+-      command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
+       succeed = g_shell_parse_argv (command, NULL, &argv, &err);
+       g_free (command);
+ 
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
index aa4265f7b..6757c48f4 100644
--- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
+++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb
@@ -8,7 +8,8 @@  inherit xfce features_check mime-xdg
 
 REQUIRED_DISTRO_FEATURES = "x11"
 
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+            file://CVE-2022-45062.patch"
 SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
 
 EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"

[meta-oe,kirkstone,1/1] xfce4-settings: fix CVE-2022-45062

Commit Message

Patch