Security commit straight to stable, fixed xdg-open/email URL arbitrary command execution (CVE-2008-0386), bug #207331.

Package-Manager: portage-2.1.3.19 RepoMan-Options: --force
author: Peter Volkov <pva@gentoo.org> 2008-01-26 09:30:33 +0000
committer: Peter Volkov <pva@gentoo.org> 2008-01-26 09:30:33 +0000
commit: a96e56a49107e4899ca43694d70a5767f7d00aa3 (patch)
tree: bc3aa830c41c4265dc12a37e7be1008fc405c7bc /x11-misc
parent: Mask media-sound/gini for removal, open security bug and uncomplete ebuild. (diff)
download: historical-a96e56a49107e4899ca43694d70a5767f7d00aa3.tar.gz
historical-a96e56a49107e4899ca43694d70a5767f7d00aa3.tar.bz2
historical-a96e56a49107e4899ca43694d70a5767f7d00aa3.zip
5 files changed, 106 insertions, 16 deletions
diff --git a/x11-misc/xdg-utils/ChangeLog b/x11-misc/xdg-utils/ChangeLog
index e7e83ddf5609..c6ac382e958c 100644
--- a/x11-misc/xdg-utils/ChangeLog
+++ b/x11-misc/xdg-utils/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for x11-misc/xdg-utils
-# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/x11-misc/xdg-utils/ChangeLog,v 1.41 2007/11/06 16:35:34 armin76 Exp $
+# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/x11-misc/xdg-utils/ChangeLog,v 1.42 2008/01/26 09:30:33 pva Exp $
+
+*xdg-utils-1.0.2-r1 (26 Jan 2008)
+
+  26 Jan 2008; <pva@gentoo.org> +files/xdg-utils-1.0.2-arb-comm-exec.patch,
+  +xdg-utils-1.0.2-r1.ebuild:
+  Security commit straight to stable, fixed xdg-open/email URL arbitrary
+  command execution (CVE-2008-0386), bug #207331.
 
   06 Nov 2007; Raúl Porcel <armin76@gentoo.org> xdg-utils-1.0.2.ebuild:
   sparc stable wrt #193339
diff --git a/x11-misc/xdg-utils/Manifest b/x11-misc/xdg-utils/Manifest
index b2795f1fde39..962ac59c7d53 100644
--- a/x11-misc/xdg-utils/Manifest
+++ b/x11-misc/xdg-utils/Manifest
@@ -1,20 +1,25 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
+AUX xdg-utils-1.0.2-arb-comm-exec.patch 1529 RMD160 ebac9959e142b2cec088e58b7ce81e8bc714aeef SHA1 9bac70b8fe02ba0def6114c9339a99dcfcd25538 SHA256 f921450acf0158848e82a19a46bc2c9158f4b13cb1ef0c24dd5553253492792d
+MD5 a5cf18356e418c9d0ac066c9380cec8b files/xdg-utils-1.0.2-arb-comm-exec.patch 1529
+RMD160 ebac9959e142b2cec088e58b7ce81e8bc714aeef files/xdg-utils-1.0.2-arb-comm-exec.patch 1529
+SHA256 f921450acf0158848e82a19a46bc2c9158f4b13cb1ef0c24dd5553253492792d files/xdg-utils-1.0.2-arb-comm-exec.patch 1529
 DIST xdg-utils-1.0.1.tgz 282352 RMD160 3b68ab28ca8c34443772b168d9decf60c2d68a73 SHA1 722ce0e26edce37c66f7ef6585795d13fc5fbd7c SHA256 6bef5ad6558938c9d14af1fd11b93f80477a0e5f6a0ca1a194c6b70a1254be2a
 DIST xdg-utils-1.0.2.tgz 282262 RMD160 344482917e8c780613ec20b103f8e51322540c04 SHA1 e41a04cbf9ff8d743397a2bc23c6ca82e8b59d2c SHA256 21aeb7d16b2529b8d3975118f59eec09953e09f9a68d718159e98c90474b01ac
 EBUILD xdg-utils-1.0.1.ebuild 755 RMD160 7372fb0f408fcdab0289389582abeede8eda0f1f SHA1 4351e0d38fe35bbd24dfea8713292c1b9847aafc SHA256 5fb17c289cff4da239e92aafe4ea6a70e1fae2d2ad967b2b7422ea9d2bb82346
 MD5 9c00e4d29be4984d90ea889d0ffd06b0 xdg-utils-1.0.1.ebuild 755
 RMD160 7372fb0f408fcdab0289389582abeede8eda0f1f xdg-utils-1.0.1.ebuild 755
 SHA256 5fb17c289cff4da239e92aafe4ea6a70e1fae2d2ad967b2b7422ea9d2bb82346 xdg-utils-1.0.1.ebuild 755
+EBUILD xdg-utils-1.0.2-r1.ebuild 927 RMD160 3363319c9a6d79c4a4f7d8d46e97f23580f4e202 SHA1 1d04f1b7c492ed69c7f33f72984462b95243cb28 SHA256 574d95436013cca547b3ab8b54f2f7b9f9155673b25a1b4cf0962224e2d4cba6
+MD5 9189205bbfbd14cae12b5d5752ef6d64 xdg-utils-1.0.2-r1.ebuild 927
+RMD160 3363319c9a6d79c4a4f7d8d46e97f23580f4e202 xdg-utils-1.0.2-r1.ebuild 927
+SHA256 574d95436013cca547b3ab8b54f2f7b9f9155673b25a1b4cf0962224e2d4cba6 xdg-utils-1.0.2-r1.ebuild 927
 EBUILD xdg-utils-1.0.2.ebuild 799 RMD160 6ac147eb9744987157897669ed505dae4631ed5b SHA1 82455838a4ece93e15f17b982b2ea6ddd6552db8 SHA256 f2ff413e3326cb95b0726a64b43b827bf39a7b21cdd5cd4283469b910cb7810e
 MD5 5a4a57521aceb7a45fdb1944b4781156 xdg-utils-1.0.2.ebuild 799
 RMD160 6ac147eb9744987157897669ed505dae4631ed5b xdg-utils-1.0.2.ebuild 799
 SHA256 f2ff413e3326cb95b0726a64b43b827bf39a7b21cdd5cd4283469b910cb7810e xdg-utils-1.0.2.ebuild 799
-MISC ChangeLog 5003 RMD160 a2799f0c8bda49b2121f83939b5e8b24bdf2ffba SHA1 32461b58a8d71edbbe9ef28228d000746f575049 SHA256 f3d02ef72dcc560dead3de71d76e6853c1313b4bda8b9aa79b456f64ab93010e
-MD5 8528bb9629b11a93fd9a6235260d8edd ChangeLog 5003
-RMD160 a2799f0c8bda49b2121f83939b5e8b24bdf2ffba ChangeLog 5003
-SHA256 f3d02ef72dcc560dead3de71d76e6853c1313b4bda8b9aa79b456f64ab93010e ChangeLog 5003
+MISC ChangeLog 5264 RMD160 555c19ae56c7219e8b0fb1f67ed47de2393398bf SHA1 0dab065a262c80a9e58e346f74f87b184798a27b SHA256 7a356ba1be68382c25a5f661ccb8d136393a51f9e9987bc977f911af201c37c3
+MD5 8194db00373fe84b7b373e96cd76f685 ChangeLog 5264
+RMD160 555c19ae56c7219e8b0fb1f67ed47de2393398bf ChangeLog 5264
+SHA256 7a356ba1be68382c25a5f661ccb8d136393a51f9e9987bc977f911af201c37c3 ChangeLog 5264
 MISC metadata.xml 234 RMD160 bd496dac30573bf707591b2b2ad497860e5aa029 SHA1 4641c1e70e35e944e7019aeae967deb1d2c28186 SHA256 3018e3b31ed690a57bfc14e35699dd20ea3b352fc28b918f699e6955b57a2d97
 MD5 8ea528c241b480ab53256eb332821871 metadata.xml 234
 RMD160 bd496dac30573bf707591b2b2ad497860e5aa029 metadata.xml 234
@@ -25,10 +30,6 @@ SHA256 4b8ca10fad64a44a57245f6503f05d7b092e21ee439987e6224ec277a0e85902 files/di
 MD5 7fdae56cc730b32cc6f97c496ce5d7a3 files/digest-xdg-utils-1.0.2 238
 RMD160 060cf1258d1fec0fc6058fc1464818a692e76009 files/digest-xdg-utils-1.0.2 238
 SHA256 e119792e90f848fadd9bea9b41309c4cf8fab3f90ae2f0908d2810a2d3cab98d files/digest-xdg-utils-1.0.2 238
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.7 (GNU/Linux)
-
-iD8DBQFHXm1ip/wUKkr7RBoRApb7AJ9AxAt9qQwBEFw9JWXZMlYZjohckQCfcToj
-kd0eqJiCw3rOl3hJHDMs8Fw=
-=bZbq
------END PGP SIGNATURE-----
+MD5 7fdae56cc730b32cc6f97c496ce5d7a3 files/digest-xdg-utils-1.0.2-r1 238
+RMD160 060cf1258d1fec0fc6058fc1464818a692e76009 files/digest-xdg-utils-1.0.2-r1 238
+SHA256 e119792e90f848fadd9bea9b41309c4cf8fab3f90ae2f0908d2810a2d3cab98d files/digest-xdg-utils-1.0.2-r1 238
diff --git a/x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1 b/x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1
new file mode 100644
index 000000000000..f6212469f2cc
--- /dev/null
+++ b/x11-misc/xdg-utils/files/digest-xdg-utils-1.0.2-r1
@@ -0,0 +1,3 @@
+MD5 348a5b91dc66426505022c74a64b2940 xdg-utils-1.0.2.tgz 282262
+RMD160 344482917e8c780613ec20b103f8e51322540c04 xdg-utils-1.0.2.tgz 282262
+SHA256 21aeb7d16b2529b8d3975118f59eec09953e09f9a68d718159e98c90474b01ac xdg-utils-1.0.2.tgz 282262
diff --git a/x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch b/x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch
new file mode 100644
index 000000000000..f3e0ed65c7be
--- /dev/null
+++ b/x11-misc/xdg-utils/files/xdg-utils-1.0.2-arb-comm-exec.patch
@@ -0,0 +1,46 @@
+Miroslav Lichvar discovered that xdg-open allows for arbitrary command
+execution in case the URL can not be handled by KDE, GNOME, XFCE or
+mimeopen.
+
+https://bugs.gentoo.org/show_bug.cgi?id=207331
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386
+
+http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch
+http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch
+
+--- xdg-open	2008/01/18 15:00:38	1.32
++++ xdg-open	2008/01/24 20:24:51	1.33
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #---------------------------------------------
+ #   xdg-open
+ #
+@@ -382,7 +382,8 @@
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;
+--- xdg-email	2006/11/21 20:29:55	1.36
++++ xdg-email	2008/01/24 20:24:50	1.37
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #---------------------------------------------
+ #   xdg-email
+ #
+@@ -435,7 +435,8 @@
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;
diff --git a/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild b/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild
new file mode 100644
index 000000000000..6b792f42dc11
--- /dev/null
+++ b/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild
@@ -0,0 +1,33 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/x11-misc/xdg-utils/xdg-utils-1.0.2-r1.ebuild,v 1.1 2008/01/26 09:30:33 pva Exp $
+
+inherit eutils
+
+DESCRIPTION="Portland utils for cross-platform/cross-toolkit/cross-desktop interoperability"
+HOMEPAGE="http://portland.freedesktop.org/wiki/Portland"
+SRC_URI="http://portland.freedesktop.org/download/${P}.tgz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
+IUSE="doc"
+
+RESTRICT="test"
+
+RDEPEND="x11-apps/xprop"
+DEPEND="app-shells/bash"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"/scripts
+
+	epatch "${FILESDIR}"/${P}-arb-comm-exec.patch
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "emake install failed."
+	dodoc ChangeLog README RELEASE_NOTES TODO
+	newdoc scripts/README README.scripts
+	use doc && dohtml -r scripts/html
+}
author	Peter Volkov <pva@gentoo.org>	2008-01-26 09:30:33 +0000
committer	Peter Volkov <pva@gentoo.org>	2008-01-26 09:30:33 +0000
commit	a96e56a49107e4899ca43694d70a5767f7d00aa3 (patch)
tree	bc3aa830c41c4265dc12a37e7be1008fc405c7bc /x11-misc
parent	Mask media-sound/gini for removal, open security bug and uncomplete ebuild. (diff)
download	historical-a96e56a49107e4899ca43694d70a5767f7d00aa3.tar.gz historical-a96e56a49107e4899ca43694d70a5767f7d00aa3.tar.bz2 historical-a96e56a49107e4899ca43694d70a5767f7d00aa3.zip