diff options
| author |   Peter Volkov <pva@gentoo.org> | 2008-01-26 09:30:33 +0000 |
|---|---|---|
| committer | Peter Volkov <pva@gentoo.org> | 2008-01-26 09:30:33 +0000 |
| commit | ff693a32188609f5d4bed907d4eacef21731e53b (patch) | |
| tree | bc9875d7668ac372f2518c7e12de880ef93f0d3b /x11-misc | |
| parent | Mask media-sound/gini for removal, open security bug and uncomplete ebuild. (diff) | |
| download | gentoo-2-ff693a32188609f5d4bed907d4eacef21731e53b.tar.gz gentoo-2-ff693a32188609f5d4bed907d4eacef21731e53b.tar.bz2 gentoo-2-ff693a32188609f5d4bed907d4eacef21731e53b.zip | |
Security commit straight to stable, fixed xdg-open/email URL arbitrary command execution (CVE-2008-0386), bug #207331.
(Portage version: 2.1.3.19, RepoMan options: --force)
Diffstat (limited to 'x11-misc')
| -rw-r--r-- | x11-misc/xdg-utils/ChangeLog | 11 | ||||
| -rw-r--r-- | x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1 | 3 | ||||
| -rw-r--r-- | x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch | 46 | ||||
| -rw-r--r-- | x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild | 33 |
4 files changed, 91 insertions, 2 deletions
diff --git a/x11-misc/xdg-utils/ChangeLog b/x11-misc/xdg-utils/ChangeLog index e7e83ddf5609..c6ac382e958c 100644 --- a/x11-misc/xdg-utils/ChangeLog +++ b/x11-misc/xdg-utils/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for x11-misc/xdg-utils -# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/x11-misc/xdg-utils/ChangeLog,v 1.41 2007/11/06 16:35:34 armin76 Exp $ +# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/x11-misc/xdg-utils/ChangeLog,v 1.42 2008/01/26 09:30:33 pva Exp $ + +*xdg-utils-1.0.2-r1 (26 Jan 2008) + + 26 Jan 2008; <pva@gentoo.org> +files/xdg-utils-1.0.2-arb-comm-exec.patch, + +xdg-utils-1.0.2-r1.ebuild: + Security commit straight to stable, fixed xdg-open/email URL arbitrary + command execution (CVE-2008-0386), bug #207331. 06 Nov 2007; Raúl Porcel <armin76@gentoo.org> xdg-utils-1.0.2.ebuild: sparc stable wrt #193339 diff --git a/x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1 b/x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1 new file mode 100644 index 000000000000..f6212469f2cc --- /dev/null +++ b/x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1 @@ -0,0 +1,3 @@ +MD5 348a5b91dc66426505022c74a64b2940 xdg-utils-1.0.2.tgz 282262 +RMD160 344482917e8c780613ec20b103f8e51322540c04 xdg-utils-1.0.2.tgz 282262 +SHA256 21aeb7d16b2529b8d3975118f59eec09953e09f9a68d718159e98c90474b01ac xdg-utils-1.0.2.tgz 282262 diff --git a/x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch b/x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch new file mode 100644 index 000000000000..f3e0ed65c7be --- /dev/null +++ b/x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch @@ -0,0 +1,46 @@ +Miroslav Lichvar discovered that xdg-open allows for arbitrary command +execution in case the URL can not be handled by KDE, GNOME, XFCE or +mimeopen. + +https://bugs.gentoo.org/show_bug.cgi?id=207331 +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386 + +http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch +http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch + +--- xdg-open 2008/01/18 15:00:38 1.32 ++++ xdg-open 2008/01/24 20:24:51 1.33 +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + #--------------------------------------------- + # xdg-open + # +@@ -382,7 +382,8 @@ + for browser in $BROWSER; do + if [ x"$browser" != x"" ]; then + +- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` ++ IFS=' ' ++ browser_with_arg=${browser//'%s'/"$1"} + + if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; + else $browser_with_arg; +--- xdg-email 2006/11/21 20:29:55 1.36 ++++ xdg-email 2008/01/24 20:24:50 1.37 +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + #--------------------------------------------- + # xdg-email + # +@@ -435,7 +435,8 @@ + for browser in $BROWSER; do + if [ x"$browser" != x"" ]; then + +- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` ++ IFS=' ' ++ browser_with_arg=${browser//'%s'/"$1"} + + if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; + else $browser_with_arg; diff --git a/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild b/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild new file mode 100644 index 000000000000..6b792f42dc11 --- /dev/null +++ b/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild @@ -0,0 +1,33 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild,v 1.1 2008/01/26 09:30:33 pva Exp $ + +inherit eutils + +DESCRIPTION="Portland utils for cross-platform/cross-toolkit/cross-desktop interoperability" +HOMEPAGE="http://portland.freedesktop.org/wiki/Portland" +SRC_URI="http://portland.freedesktop.org/download/${P}.tgz" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" +IUSE="doc" + +RESTRICT="test" + +RDEPEND="x11-apps/xprop" +DEPEND="app-shells/bash" + +src_unpack() { + unpack ${A} + cd "${S}"/scripts + + epatch "${FILESDIR}"/${P}-arb-comm-exec.patch +} + +src_install() { + emake DESTDIR="${D}" install || die "emake install failed." + dodoc ChangeLog README RELEASE_NOTES TODO + newdoc scripts/README README.scripts + use doc && dohtml -r scripts/html +} |