xdg-utils: Fix CVE-2022-4055

Upstream-Status: Backport from https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 (From OE-Core rev: fc4eecb6143b2b32a374388248b41c1d95b33968) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-10-05 10:47:11 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-10-18 05:13:24 -1000
commit: 2a2ea5ac7502b0d67c8bce454eb3a8300c101e41 (patch)
tree: bee61da7182c9a8b7019fabd6adde53938051794
parent: de59761cbb0ce740736a381fc579530bb767704c (diff)
download: poky-2a2ea5ac7502b0d67c8bce454eb3a8300c101e41.tar.gz
2 files changed, 166 insertions, 0 deletions
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
new file mode 100644
index 0000000000..383634ad53
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,165 @@
+From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001
+From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
+Date: Thu, 25 Aug 2022 23:51:45 +0200
+Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes
+ CVE-2020-27748, CVE-2022-4055)
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780]
+CVE: CVE-2022-4055
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ scripts/xdg-email.in | 108 -------------------------------------------
+ 1 file changed, 108 deletions(-)
+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
+index 13ba2d5..b700679 100644
+--- a/scripts/xdg-email.in
+++ b/scripts/xdg-email.in
+@@ -30,76 +30,8 @@ _USAGE
+ 
+ #@xdg-utils-common@
+ 
+-run_thunderbird()
+-{
+-    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
+-    THUNDERBIRD="$1"
+-    MAILTO=$(echo "$2" | sed 's/^mailto://')
+-    echo "$MAILTO" | grep -qs "^?"
+-    if [ "$?" = "0" ] ; then
+-        MAILTO=$(echo "$MAILTO" | sed 's/^?//')
+-    else
+-        MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/')
+-    fi
+-
+-    MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g')
+-    TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
+-    BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
+-
+-    if [ -z "$TO" ] ; then
+-        NEWMAILTO=
+-    else
+-        NEWMAILTO="to='$TO'"
+-    fi
+-    if [ -n "$CC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},cc='$CC'"
+-    fi
+-    if [ -n "$BCC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
+-    fi
+-    if [ -n "$SUBJECT" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$SUBJECT"
+-    fi
+-    if [ -n "$BODY" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$BODY"
+-    fi
+-
+-    NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
+-    DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
+-    "$THUNDERBIRD" -compose "$NEWMAILTO"
+-    if [ $? -eq 0 ]; then
+-        exit_success
+-    else
+-        exit_failure_operation_failed
+-    fi
+-}
+-
+ open_kde()
+ {
+-    if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
+-        local kreadconfig=kreadconfig$KDE_SESSION_VERSION
+-    else
+-        local kreadconfig=kreadconfig
+-    fi
+-
+-    if which $kreadconfig >/dev/null 2>&1; then
+-        local profile=$($kreadconfig --file emaildefaults \
+-                                     --group Defaults --key Profile)
+-        if [ -n "$profile" ]; then
+-            local client=$($kreadconfig --file emaildefaults \
+-                                        --group "PROFILE_$profile" \
+-                                        --key EmailClient \
+-                                  | cut -d ' ' -f 1)
+-
+-            if echo "$client" | grep -Eq 'thunderbird|icedove'; then
+-                run_thunderbird "$client" "$1"
+-            fi
+-        fi
+-    fi
+-
+     local command
+     case "$KDE_SESSION_VERSION" in
+         '') command=kmailservice ;;
+@@ -130,15 +62,6 @@ open_kde()
+ 
+ open_gnome3()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -159,13 +82,6 @@ open_gnome3()
+ 
+ open_gnome()
+ {
+-    local client
+-    client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || ""
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -231,15 +147,6 @@ open_flatpak()
+ 
+ open_generic()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     xdg-open "$1"
+     local ret=$?
+ 
+@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do
+         shift
+         ;;
+ 
+-      --attach)
+-        if [ -z "$1" ] ; then
+-            exit_failure_syntax "file argument missing for --attach option"
+-        fi
+-        check_input_file "$1"
+-        file=`readlink -f "$1"` # Normalize path
+-        if [ -z "$file" ] || [ ! -f "$file" ] ; then
+-            exit_failure_file_missing "file '$1' does not exist"
+-        fi
+-
+-        url_encode "$file"
+-        options="${options}attach=${result}&"
+-        shift
+-        ;;
+-
+       -*)
+         exit_failure_syntax "unexpected option '$parm'"
+         ;;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index 73acf6b744..4d93180535 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
           file://0001-Reinstate-xdg-terminal.patch \
           file://0001-Don-t-build-the-in-script-manual.patch \
           file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
+           file://CVE-2022-4055.patch \
          "
 SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-10-05 10:47:11 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-10-18 05:13:24 -1000
commit	2a2ea5ac7502b0d67c8bce454eb3a8300c101e41 (patch)
tree	bee61da7182c9a8b7019fabd6adde53938051794
parent	de59761cbb0ce740736a381fc579530bb767704c (diff)
download	poky-2a2ea5ac7502b0d67c8bce454eb3a8300c101e41.tar.gz

diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch new file mode 100644 index 0000000000..383634ad53 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,165 @@
		1	From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001
		2	From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
		3	Date: Thu, 25 Aug 2022 23:51:45 +0200
		4	Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes
		5	CVE-2020-27748, CVE-2022-4055)
		6
		7	Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780]
		8	CVE: CVE-2022-4055
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	scripts/xdg-email.in \| 108 -------------------------------------------
		12	1 file changed, 108 deletions(-)
		13
		14	diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
		15	index 13ba2d5..b700679 100644
		16	--- a/scripts/xdg-email.in
		17	+++ b/scripts/xdg-email.in
		18	@@ -30,76 +30,8 @@ _USAGE
		19
		20	#@xdg-utils-common@
		21
		22	-run_thunderbird()
		23	-{
		24	- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
		25	- THUNDERBIRD="$1"
		26	- MAILTO=$(echo "$2" \| sed 's/^mailto://')
		27	- echo "$MAILTO" \| grep -qs "^?"
		28	- if [ "$?" = "0" ] ; then
		29	- MAILTO=$(echo "$MAILTO" \| sed 's/^?//')
		30	- else
		31	- MAILTO=$(echo "$MAILTO" \| sed 's/^/to=/' \| sed 's/?/\&/')
		32	- fi
		33	-
		34	- MAILTO=$(echo "$MAILTO" \| sed 's/&/\n/g')
		35	- TO=$(/bin/echo -e $(echo "$MAILTO" \| grep '^to=' \| sed 's/^to=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		36	- CC=$(/bin/echo -e $(echo "$MAILTO" \| grep '^cc=' \| sed 's/^cc=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		37	- BCC=$(/bin/echo -e $(echo "$MAILTO" \| grep '^bcc=' \| sed 's/^bcc=//;s/%\(..\)/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
		38	- SUBJECT=$(echo "$MAILTO" \| grep '^subject=' \| tail -n 1)
		39	- BODY=$(echo "$MAILTO" \| grep '^body=' \| tail -n 1)
		40	-
		41	- if [ -z "$TO" ] ; then
		42	- NEWMAILTO=
		43	- else
		44	- NEWMAILTO="to='$TO'"
		45	- fi
		46	- if [ -n "$CC" ] ; then
		47	- NEWMAILTO="${NEWMAILTO},cc='$CC'"
		48	- fi
		49	- if [ -n "$BCC" ] ; then
		50	- NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
		51	- fi
		52	- if [ -n "$SUBJECT" ] ; then
		53	- NEWMAILTO="${NEWMAILTO},$SUBJECT"
		54	- fi
		55	- if [ -n "$BODY" ] ; then
		56	- NEWMAILTO="${NEWMAILTO},$BODY"
		57	- fi
		58	-
		59	- NEWMAILTO=$(echo "$NEWMAILTO" \| sed 's/^,//')
		60	- DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
		61	- "$THUNDERBIRD" -compose "$NEWMAILTO"
		62	- if [ $? -eq 0 ]; then
		63	- exit_success
		64	- else
		65	- exit_failure_operation_failed
		66	- fi
		67	-}
		68	-
		69	open_kde()
		70	{
		71	- if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
		72	- local kreadconfig=kreadconfig$KDE_SESSION_VERSION
		73	- else
		74	- local kreadconfig=kreadconfig
		75	- fi
		76	-
		77	- if which $kreadconfig >/dev/null 2>&1; then
		78	- local profile=$($kreadconfig --file emaildefaults \
		79	- --group Defaults --key Profile)
		80	- if [ -n "$profile" ]; then
		81	- local client=$($kreadconfig --file emaildefaults \
		82	- --group "PROFILE_$profile" \
		83	- --key EmailClient \
		84	- \| cut -d ' ' -f 1)
		85	-
		86	- if echo "$client" \| grep -Eq 'thunderbird\|icedove'; then
		87	- run_thunderbird "$client" "$1"
		88	- fi
		89	- fi
		90	- fi
		91	-
		92	local command
		93	case "$KDE_SESSION_VERSION" in
		94	'') command=kmailservice ;;
		95	@@ -130,15 +62,6 @@ open_kde()
		96
		97	open_gnome3()
		98	{
		99	- local client
		100	- local desktop
		101	- desktop=`xdg-mime query default "x-scheme-handler/mailto"`
		102	- client=`desktop_file_to_binary "$desktop"`
		103	- echo $client \| grep -E 'thunderbird\|icedove' > /dev/null 2>&1
		104	- if [ $? -eq 0 ] ; then
		105	- run_thunderbird "$client" "$1"
		106	- fi
		107	-
		108	if gio help open 2>/dev/null 1>&2; then
		109	DEBUG 1 "Running gio open \"$1\""
		110	gio open "$1"
		111	@@ -159,13 +82,6 @@ open_gnome3()
		112
		113	open_gnome()
		114	{
		115	- local client
		116	- client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command \| cut -d ' ' -f 1` \|\| ""
		117	- echo $client \| grep -E 'thunderbird\|icedove' > /dev/null 2>&1
		118	- if [ $? -eq 0 ] ; then
		119	- run_thunderbird "$client" "$1"
		120	- fi
		121	-
		122	if gio help open 2>/dev/null 1>&2; then
		123	DEBUG 1 "Running gio open \"$1\""
		124	gio open "$1"
		125	@@ -231,15 +147,6 @@ open_flatpak()
		126
		127	open_generic()
		128	{
		129	- local client
		130	- local desktop
		131	- desktop=`xdg-mime query default "x-scheme-handler/mailto"`
		132	- client=`desktop_file_to_binary "$desktop"`
		133	- echo $client \| grep -E 'thunderbird\|icedove' > /dev/null 2>&1
		134	- if [ $? -eq 0 ] ; then
		135	- run_thunderbird "$client" "$1"
		136	- fi
		137	-
		138	xdg-open "$1"
		139	local ret=$?
		140
		141	@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do
		142	shift
		143	;;
		144
		145	- --attach)
		146	- if [ -z "$1" ] ; then
		147	- exit_failure_syntax "file argument missing for --attach option"
		148	- fi
		149	- check_input_file "$1"
		150	- file=`readlink -f "$1"` # Normalize path
		151	- if [ -z "$file" ] \|\| [ ! -f "$file" ] ; then
		152	- exit_failure_file_missing "file '$1' does not exist"
		153	- fi
		154	-
		155	- url_encode "$file"
		156	- options="${options}attach=${result}&"
		157	- shift
		158	- ;;
		159	-
		160	-*)
		161	exit_failure_syntax "unexpected option '$parm'"
		162	;;
		163	--
		164	2.25.1
		165


diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index 73acf6b744..4d93180535 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
21	file://0001-Reinstate-xdg-terminal.patch \	21	file://0001-Reinstate-xdg-terminal.patch \
22	file://0001-Don-t-build-the-in-script-manual.patch \	22	file://0001-Don-t-build-the-in-script-manual.patch \
23	file://1f199813e0eb0246f63b54e9e154970e609575af.patch \	23	file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
		24	file://CVE-2022-4055.patch \
24	"	25	"
25		26
26	SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"	27	SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"