| Message ID | 20221208070305.1138128-1-archana.polampalli@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,kirkstone,1/1] xfce4-settings: fix CVE-2022-45062 | expand |
On 2022-12-08 02:03, Polampalli, Archana via lists.openembedded.org wrote: > In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an > argument injection vulnerability in xfce4-mime-helper. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2022-45062 > https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390 > > Upstream-Status: Backport [https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049] > > CVE: CVE-2022-45062 Hi Archana, Please update to: xfce4-settings-4.16.5 as was done on master: commit 83eb9464882752e00746c1da8e3c52f4fc06bbde Author: Kai Kang <kai.kang@windriver.com> Date: Wed Nov 23 01:59:13 2022 xfce4-settings: 4.16.3 -> 4.16.5 It fixes CVE-2022-45062 in xfce4-settings 4.16.5. CVE: CVE-2022-45062 Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> ? $ git tag --contains f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 xfce4-settings-4.16.5 $ git branch -a --contains f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 remotes/origin/xfce-4.16 An update to the latest 4.16.x stable release will pick that commit up: $ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5 | rg f1cb5 f1cb5bda mime-settings: Properly quote command parameters Also the update seems sensible in that it's only bug fixes and translation updates. $ git log --oneline xfce4-settings-4.16.2..xfce4-settings-4.16.5 83ea11cf (tag: xfce4-settings-4.16.5) Updates for release f1cb5bda mime-settings: Properly quote command parameters f7707d8b Revert "Escape characters which do not belong into an URI/URL (Issue #390)" b532324f Back to development b9729c85 (tag: xfce4-settings-4.16.4) Updates for release 55e3c5fb Escape characters which do not belong into an URI/URL (Issue #390) 7489b73f I18n: Update translation pt (100%). d314651f I18n: Update translation ja (100%). 51a8327d I18n: Update translation ru (100%). 42aa66d0 I18n: Update translation ru (100%). 341443f8 Prefer full command when basic command is env (Fixes #358) 8d4106b3 Back to development 024399b1 (tag: xfce4-settings-4.16.3) Updates for release af601e32 build: Fix intltool lock file problem during make distcheck 0875cfba xfsettingsd: Fix recursive lock in libX11 (Fixes #369) 9195b3bd I18n: Update translation el (98%). bfbe5173 I18n: Update translation el (98%). 222f2d1d I18n: Update translation el (98%). dbfd87e5 I18n: Update translation el (98%). 4e7af67d I18n: Update translation en_GB (100%). 2ddf22e0 I18n: Update translation el (98%). 48e206d2 I18n: Update translation el (98%). 448f39ec I18n: Update translation el (98%). 127feac8 I18n: Update translation el (94%). f82ba7dd I18n: Update translation en_GB (99%). 0654def5 I18n: Update translation en_GB (89%). 8cb73fd5 I18n: Update translation ko (99%). 22d9b99d I18n: Update translation en_CA (96%). f30b6393 I18n: Update translation sv (100%). 2270d3e3 I18n: Update translation sv (100%). 066891c3 I18n: Update translation ko (97%). 08e417b2 I18n: Update translation ro (83%). 5900ff21 I18n: Update translation oc (100%). dd3de2c9 I18n: Update translation oc (93%). b220fdc3 I18n: Update translation et (100%). 842986a0 I18n: Update translation oc (88%). 80aac3e8 I18n: Update translation ms (100%). c9329f00 I18n: Update translation et (99%). 09af4cc7 I18n: Update translation kk (100%). 77bcf8c5 I18n: Update translation id (100%). 1fc2d34a I18n: Update translation hy_AM (99%). d84f3fdc I18n: Update translation pl (100%). 90b8f2e1 I18n: Update translation gl (100%). 4611d543 I18n: Update translation ca (100%). c1ee5b28 I18n: Update translation lt (100%). 33a6052e I18n: Update translation be (100%). a23c5fc5 I18n: Update translation et (98%). 20d866dc Back to development Armin, or anyone else, any concerns? ../Randy > > Signed-off-by: Archana Polampalli<archana.polampalli@windriver.com> > --- > .../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++ > .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +- > 2 files changed, 60 insertions(+), 1 deletion(-) > create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch > > diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch > new file mode 100644 > index 000000000..1e999a7c6 > --- /dev/null > +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch > @@ -0,0 +1,58 @@ > +commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 > +Author: Gaël Bonithon<gael@xfce.org> > +Date: Sat Nov 12 22:27:36 2022 +0100 > + > + mime-settings: Properly quote command parameters > + > + Fixes: #390 > + MR: !85 > + > +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c > +index 7149951f..b2d8e50d 100644 > +--- a/dialogs/mime-settings/xfce-mime-helper.c > ++++ b/dialogs/mime-settings/xfce-mime-helper.c > +@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, > + /* reset the error */ > + g_clear_error (&err); > + > ++ /* prepare the command */ > ++ if (exo_str_is_empty (real_parameter)) > ++ command = g_strdup (commands[n]); > ++ else > ++ { > ++ /* split command into "quoted"/unquoted parts */ > ++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0); > ++ > ++ /* walk the part array */ > ++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++) > ++ { > ++ /* quoted part: unquote it, replace %s and re-quote it properly */ > ++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\"")) > ++ { > ++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2); > ++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter); > ++ gchar *quoted = g_shell_quote (filled); > ++ g_free (filled); > ++ g_free (unquoted); > ++ g_free (*cmd_part); > ++ *cmd_part = quoted; > ++ } > ++ /* unquoted part: just replace %s */ > ++ else > ++ { > ++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter); > ++ g_free (*cmd_part); > ++ *cmd_part = filled; > ++ } > ++ } > ++ > ++ /* join parts to reconstitute the command, filled and quoted */ > ++ command = g_strjoinv (NULL, cmd_parts); > ++ g_strfreev (cmd_parts); > ++ } > ++ > + /* parse the command */ > +- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]); > + succeed = g_shell_parse_argv (command, NULL, &argv, &err); > + g_free (command); > + > diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb > index aa4265f7b..6757c48f4 100644 > --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb > +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb > @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg > > REQUIRED_DISTRO_FEATURES = "x11" > > -SRC_URI +="file://0001-xsettings.xml-Set-default-themes.patch" > +SRC_URI +="file://0001-xsettings.xml-Set-default-themes.patch \ + > file://CVE-2022-45062.patch" > SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e" > > EXTRA_OECONF += "--enable-maintainer-mode --disable-debug" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#99991):https://lists.openembedded.org/g/openembedded-devel/message/99991 > Mute This Topic:https://lists.openembedded.org/mt/95517736/3616765 > Group Owner:openembedded-devel+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-devel/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Will update to xfce4-settings-4.16.5 and will send patch Regards, Archana
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch new file mode 100644 index 000000000..1e999a7c6 --- /dev/null +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch @@ -0,0 +1,58 @@ +commit f1cb5bdafc6b9c71c541de267cc84a8c2ac32049 +Author: Gaël Bonithon <gael@xfce.org> +Date: Sat Nov 12 22:27:36 2022 +0100 + + mime-settings: Properly quote command parameters + + Fixes: #390 + MR: !85 + +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c +index 7149951f..b2d8e50d 100644 +--- a/dialogs/mime-settings/xfce-mime-helper.c ++++ b/dialogs/mime-settings/xfce-mime-helper.c +@@ -453,8 +453,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, + /* reset the error */ + g_clear_error (&err); + ++ /* prepare the command */ ++ if (exo_str_is_empty (real_parameter)) ++ command = g_strdup (commands[n]); ++ else ++ { ++ /* split command into "quoted"/unquoted parts */ ++ gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0); ++ ++ /* walk the part array */ ++ for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++) ++ { ++ /* quoted part: unquote it, replace %s and re-quote it properly */ ++ if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\"")) ++ { ++ gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2); ++ gchar *filled = exo_str_replace (unquoted, "%s", real_parameter); ++ gchar *quoted = g_shell_quote (filled); ++ g_free (filled); ++ g_free (unquoted); ++ g_free (*cmd_part); ++ *cmd_part = quoted; ++ } ++ /* unquoted part: just replace %s */ ++ else ++ { ++ gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter); ++ g_free (*cmd_part); ++ *cmd_part = filled; ++ } ++ } ++ ++ /* join parts to reconstitute the command, filled and quoted */ ++ command = g_strjoinv (NULL, cmd_parts); ++ g_strfreev (cmd_parts); ++ } ++ + /* parse the command */ +- command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]); + succeed = g_shell_parse_argv (command, NULL, &argv, &err); + g_free (command); + diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb index aa4265f7b..6757c48f4 100644 --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" +SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \ + file://CVE-2022-45062.patch" SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e" EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper. References: https://nvd.nist.gov/vuln/detail/CVE-2022-45062 https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390 Upstream-Status: Backport [https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f1cb5bdafc6b9c71c541de267cc84a8c2ac32049] CVE: CVE-2022-45062 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../xfce4-settings/files/CVE-2022-45062.patch | 58 +++++++++++++++++++ .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch