diff --git a/0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch b/0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch index 4768e38..30f1df3 100644 --- a/0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch +++ b/0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch @@ -1,7 +1,7 @@ From 0f06aadc8696f3e9234687bbc93b50a3f724b822 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sun, 4 Jan 2015 16:21:09 -0600 -Subject: [PATCH 1/2] xdg-screensaver should control X11's screensaver in xfce +Subject: [PATCH 1/5] xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) --- @@ -38,5 +38,5 @@ index 047d555..d9cb4d2 100644 [ -n "$DISPLAY" ] && screensaver_xserver "$1" ;; -- -1.9.3 +2.1.0 diff --git a/0002-nuke-some-extra-quoting.patch b/0002-nuke-some-extra-quoting.patch deleted file mode 100644 index 8970e02..0000000 --- a/0002-nuke-some-extra-quoting.patch +++ /dev/null @@ -1,26 +0,0 @@ -From c93e804e27d8013a455ccaf523758bd86bad0498 Mon Sep 17 00:00:00 2001 -From: Rex Dieter -Date: Tue, 6 Jan 2015 17:37:24 -0600 -Subject: [PATCH 2/3] nuke some extra quoting - -easy(?) fix while working on BR66670 ---- - scripts/xdg-open.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in -index 0145be3..c12dcdd 100644 ---- a/scripts/xdg-open.in -+++ b/scripts/xdg-open.in -@@ -186,7 +186,7 @@ search_desktop_file() - # FIXME: Actually LC_MESSAGES should be used as described in - # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html - localised_name="'$(get_key "${file}" "Name")'" -- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \ -+ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \ - -e 's*%i*'"$icon"'*g' \ - -e 's*%c*'"$localised_name"'*g')" - --- -2.1.0 - diff --git a/0002-xdg-open-command-injection-vulnerability-BR66670.patch b/0002-xdg-open-command-injection-vulnerability-BR66670.patch new file mode 100644 index 0000000..2af8dd0 --- /dev/null +++ b/0002-xdg-open-command-injection-vulnerability-BR66670.patch @@ -0,0 +1,51 @@ +From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001 +From: Rex Dieter +Date: Mon, 5 Jan 2015 13:09:05 -0600 +Subject: [PATCH 2/5] xdg-open: command injection vulnerability (BR66670) + +--- + ChangeLog | 3 +++ + scripts/xdg-open.in | 6 +++--- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 735fee7..e309517 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,8 @@ + === xdg-utils 1.1.x === + ++2015-01-05 Rex Dieter ++ * xdg-open: command injection vulnerability (BR66670) ++ + 2015-01-04 Rex Dieter + * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) + +diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in +index 0145be3..9f01747 100644 +--- a/scripts/xdg-open.in ++++ b/scripts/xdg-open.in +@@ -186,17 +186,17 @@ search_desktop_file() + # FIXME: Actually LC_MESSAGES should be used as described in + # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html + localised_name="'$(get_key "${file}" "Name")'" +- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \ ++ arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \ + -e 's*%i*'"$icon"'*g' \ + -e 's*%c*'"$localised_name"'*g')" + + if [ -x "$command_exec" ] ; then + if echo "$arguments" | grep -iq '%[fFuU]' ; then + echo START "$command_exec" "$arguments_exec" +- eval "$command_exec" "$arguments_exec" ++ eval "$command_exec" '$arguments_exec' + else + echo START "$command_exec" "$arguments_exec" "$arg" +- eval "$command_exec" "$arguments_exec" "$arg" ++ eval "$command_exec" '$arguments_exec' '$arg' + fi + + if [ $? -eq 0 ]; then +-- +2.1.0 + diff --git a/0003-xdg-mime-dereference-symlinks-when-using-mimetype-or.patch b/0003-xdg-mime-dereference-symlinks-when-using-mimetype-or.patch new file mode 100644 index 0000000..771641a --- /dev/null +++ b/0003-xdg-mime-dereference-symlinks-when-using-mimetype-or.patch @@ -0,0 +1,47 @@ +From ffa6e473fc95d1980b230195fecdafcd7193dca7 Mon Sep 17 00:00:00 2001 +From: Rex Dieter +Date: Thu, 15 Jan 2015 09:16:38 -0600 +Subject: [PATCH 3/5] xdg-mime: dereference symlinks when using mimetype or + file (BR39923) + +--- + ChangeLog | 3 +++ + scripts/xdg-mime.in | 8 ++++---- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index e309517..3c7b095 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,8 @@ + === xdg-utils 1.1.x === + ++2015-01-15 Reuben Thomas ++ * xdg-mime: dereference symlinks when using mimetype or file (BR39923) ++ + 2015-01-05 Rex Dieter + * xdg-open: command injection vulnerability (BR66670) + +diff --git a/scripts/xdg-mime.in b/scripts/xdg-mime.in +index 0290d77..80781c8 100644 +--- a/scripts/xdg-mime.in ++++ b/scripts/xdg-mime.in +@@ -98,11 +98,11 @@ info_gnome() + info_generic() + { + if mimetype --version >/dev/null 2>&1; then +- DEBUG 1 "Running mimetype -b \"$1\"" +- mimetype -b "$1" ++ DEBUG 1 "Running mimetype --brief --dereference \"$1\"" ++ mimetype --brief --dereference "$1" + else +- DEBUG 1 "Running file --mime-type \"$1\"" +- /usr/bin/file -b --mime-type "$1" 2> /dev/null ++ DEBUG 1 "Running file --brief --dereference --mime-type \"$1\"" ++ /usr/bin/file --brief --dereference --mime-type "$1" 2> /dev/null + fi + + if [ $? -eq 0 ]; then +-- +2.1.0 + diff --git a/0003-xdg-open-command-injection-vulnerability-BR66670.patch b/0003-xdg-open-command-injection-vulnerability-BR66670.patch deleted file mode 100644 index a7f18b5..0000000 --- a/0003-xdg-open-command-injection-vulnerability-BR66670.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4bd30419c5f404f2a108c5a6bbda0e40551ffd24 Mon Sep 17 00:00:00 2001 -From: Rex Dieter -Date: Tue, 6 Jan 2015 17:39:05 -0600 -Subject: [PATCH 3/3] xdg-open: command injection vulnerability (BR66670) - ---- - ChangeLog | 3 +++ - scripts/xdg-open.in | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 735fee7..65df80c 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,8 @@ - === xdg-utils 1.1.x === - -+2015-01-06 Rex Dieter -+ * xdg-open: command injection vulnerability (BR66670) -+ - 2015-01-04 Rex Dieter - * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) - -diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in -index c12dcdd..b6045f8 100644 ---- a/scripts/xdg-open.in -+++ b/scripts/xdg-open.in -@@ -193,10 +193,10 @@ search_desktop_file() - if [ -x "$command_exec" ] ; then - if echo "$arguments" | grep -iq '%[fFuU]' ; then - echo START "$command_exec" "$arguments_exec" -- eval "$command_exec" "$arguments_exec" -+ eval "'$command_exec'" "'$arguments_exec'" - else - echo START "$command_exec" "$arguments_exec" "$arg" -- eval "$command_exec" "$arguments_exec" "$arg" -+ eval "'$command_exec'" "'$arguments_exec'" "'$arg'" - fi - - if [ $? -eq 0 ]; then --- -2.1.0 - diff --git a/0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch b/0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch new file mode 100644 index 0000000..e267f98 --- /dev/null +++ b/0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch @@ -0,0 +1,48 @@ +From 8e9fa9bcc85fd31d4548870aad27c0593f64c433 Mon Sep 17 00:00:00 2001 +From: Rex Dieter +Date: Thu, 15 Jan 2015 10:09:43 -0600 +Subject: [PATCH 4/5] xdg-screensaver: Change screensaver_freedesktop's + interpretation of GetActive (BR29859) + +--- + ChangeLog | 1 + + scripts/xdg-screensaver.in | 8 ++++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 3c7b095..fa90e70 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -2,6 +2,7 @@ + + 2015-01-15 Reuben Thomas + * xdg-mime: dereference symlinks when using mimetype or file (BR39923) ++ * xdg-screensaver: Change screensaver_freedesktop's interpretation of GetActive (BR29859) + + 2015-01-05 Rex Dieter + * xdg-open: command injection vulnerability (BR66670) +diff --git a/scripts/xdg-screensaver.in b/scripts/xdg-screensaver.in +index d9cb4d2..579b80e 100644 +--- a/scripts/xdg-screensaver.in ++++ b/scripts/xdg-screensaver.in +@@ -300,13 +300,13 @@ screensaver_freedesktop() + org.freedesktop.ScreenSaver.GetActive \ + | grep boolean | cut -d ' ' -f 5` + result=$? +- if [ x"$status" = "xtrue" ]; then ++ if [ x"$status" = "xtrue" -o x"$status" = "xfalse" ]; then + echo "enabled" +- elif [ x"$status" = "xfalse" ]; then +- echo "disabled" +- else ++ elif [ x"$result" != "x0" ]; then + echo "ERROR: dbus org.freedesktop.ScreenSaver.GetActive returned '$status'" >&2 + return 1 ++ else ++ echo "disabled" + fi + ;; + +-- +2.1.0 + diff --git a/0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch b/0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch new file mode 100644 index 0000000..89339c4 --- /dev/null +++ b/0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch @@ -0,0 +1,44 @@ +From ab071beaabb62ceda3028dd5efa85e8057c29006 Mon Sep 17 00:00:00 2001 +From: Rex Dieter +Date: Mon, 19 Jan 2015 05:18:57 -0600 +Subject: [PATCH 5/5] xdg-open: better fix for command injection vulnerability + (BR66670) + +--- + ChangeLog | 3 +++ + scripts/xdg-open.in | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fa90e70..627df21 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,8 @@ + === xdg-utils 1.1.x === + ++2015-01-19 Rex Dieter ++ * xdg-open: better fix for command injection vulnerability (BR66670) ++ + 2015-01-15 Reuben Thomas + * xdg-mime: dereference symlinks when using mimetype or file (BR39923) + * xdg-screensaver: Change screensaver_freedesktop's interpretation of GetActive (BR29859) +diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in +index 9f01747..b6045f8 100644 +--- a/scripts/xdg-open.in ++++ b/scripts/xdg-open.in +@@ -193,10 +193,10 @@ search_desktop_file() + if [ -x "$command_exec" ] ; then + if echo "$arguments" | grep -iq '%[fFuU]' ; then + echo START "$command_exec" "$arguments_exec" +- eval "$command_exec" '$arguments_exec' ++ eval "'$command_exec'" "'$arguments_exec'" + else + echo START "$command_exec" "$arguments_exec" "$arg" +- eval "$command_exec" '$arguments_exec' '$arg' ++ eval "'$command_exec'" "'$arguments_exec'" "'$arg'" + fi + + if [ $? -eq 0 ]; then +-- +2.1.0 + diff --git a/xdg-utils.spec b/xdg-utils.spec index 3d3f627..bb7dc50 100644 --- a/xdg-utils.spec +++ b/xdg-utils.spec @@ -4,7 +4,7 @@ Summary: Basic desktop integration functions Name: xdg-utils Version: 1.1.0 -Release: 0.34.%{pre}%{?dist} +Release: 0.35.%{pre}%{?dist} URL: http://portland.freedesktop.org/ %if 0%{?pre:1} @@ -17,8 +17,10 @@ License: MIT ## upstream patches Patch1: 0001-xdg-screensaver-should-control-X11-s-screensaver-in-.patch -Patch2: 0002-nuke-some-extra-quoting.patch -Patch3: 0003-xdg-open-command-injection-vulnerability-BR66670.patch +Patch2: 0002-xdg-open-command-injection-vulnerability-BR66670.patch +Patch3: 0003-xdg-mime-dereference-symlinks-when-using-mimetype-or.patch +Patch4: 0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch +Patch5: 0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch # make sure BuildArch comes *after* patches, to ensure %%autosetup works right # http://bugzilla.redhat.com/1084309 @@ -93,6 +95,9 @@ make install DESTDIR=%{buildroot} %changelog +* Mon Jan 19 2015 Rex Dieter 1.1.0-0.35.rc3 +- pull in latest commits, notably more fdo screensaver fixes + * Tue Jan 06 2015 Rex Dieter 1.1.0-0.34.rc3 - refresh for latest attepmt to fix upstream BR66670