new file mode 100644
@@ -0,0 +1,58 @@
+commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049
+Author: Gaƫl Bonithon <gael@xfce.org>
+Date: Sat Nov 12 22:27:36 2022 +0100
+
+ mime-settings: Properly quote command parameters
+
+ Fixes: #390
+ MR: !85
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 7149951f..b2d8e50d 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper,
+ /* reset the error */
+ g_clear_error (&err);
+
++ /* prepare the command */
++ if (exo_str_is_empty (real_parameter))
++ command = g_strdup (commands[n]);
++ else
++ {
++ /* split command into "quoted"/unquoted parts */
++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
++
++ /* walk the part array */
++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
++ {
++ /* quoted part: unquote it, replace %s and re-quote it properly */
++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
++ {
++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
++ gchar *quoted = g_shell_quote (filled);
++ g_free (filled);
++ g_free (unquoted);
++ g_free (*cmd_part);
++ *cmd_part = quoted;
++ }
++ /* unquoted part: just replace %s */
++ else
++ {
++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
++ g_free (*cmd_part);
++ *cmd_part = filled;
++ }
++ }
++
++ /* join parts to reconstitute the command, filled and quoted */
++ command = g_strjoinv (NULL, cmd_parts);
++ g_strfreev (cmd_parts);
++ }
++
+ /* parse the command */
+- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
+ succeed = g_shell_parse_argv (command, NULL, &argv, &err);
+ g_free (command);
+
@@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch"
+SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \
+ file://CVE-2022-45062.patch"
SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e"
EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper. References: https://nvd.nist.gov/vuln/detail/CVE-2022-45062 https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390 Upstream Status: Backport from https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++ .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch