From 3a1380ea28cc751bd6ed55505a106b29e2a27c14 Mon Sep 17 00:00:00 2001 From: wangzhe Date: Fri, 16 May 2025 00:19:51 +0800 Subject: [PATCH] [CVE] fix for CVE-2022-4055 to #IC85TU fix for CVE-2022-4055 Project: TC2024080204 Signed-off-by: wangzhe --- xdg-utils-1.1.3-CVE-2022-4055.patch | 228 ++++++++++++++++++++++++++++ xdg-utils.spec | 10 +- 2 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 xdg-utils-1.1.3-CVE-2022-4055.patch diff --git a/xdg-utils-1.1.3-CVE-2022-4055.patch b/xdg-utils-1.1.3-CVE-2022-4055.patch new file mode 100644 index 0000000..a75b572 --- /dev/null +++ b/xdg-utils-1.1.3-CVE-2022-4055.patch @@ -0,0 +1,228 @@ +From 1efb5f2fa49fb5e4e138d2b2531a6e7e180845c2 Mon Sep 17 00:00:00 2001 +From: Gabriel Corona +Date: Thu, 25 Aug 2022 23:51:45 +0200 +Subject: [PATCH 1/2] Disable special support for Thunderbird in xdg-email + (fixes CVE-2020-27748, CVE-2022-4055) + +--- + scripts/xdg-email.in | 113 ------------------------------------------- + 1 file changed, 113 deletions(-) + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 3614776..b700679 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -30,81 +30,8 @@ _USAGE + + #@xdg-utils-common@ + +-run_thunderbird() +-{ +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH +- THUNDERBIRD="$1" +- MAILTO=$(echo "$2" | sed 's/^mailto://') +- echo "$MAILTO" | grep -qs "^?" +- if [ "$?" = "0" ] ; then +- MAILTO=$(echo "$MAILTO" | sed 's/^?//') +- else +- MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/') +- fi +- +- MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g') +- TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) +- BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) +- +- if [ -z "$TO" ] ; then +- NEWMAILTO= +- else +- NEWMAILTO="to='$TO'" +- fi +- if [ -n "$CC" ] ; then +- NEWMAILTO="${NEWMAILTO},cc='$CC'" +- fi +- if [ -n "$BCC" ] ; then +- NEWMAILTO="${NEWMAILTO},bcc='$BCC'" +- fi +- if [ -n "$SUBJECT" ] ; then +- NEWMAILTO="${NEWMAILTO},$SUBJECT" +- fi +- if [ -n "$BODY" ] ; then +- NEWMAILTO="${NEWMAILTO},$BODY" +- fi +- +- if [ -n "$ATTACH" ] ; then +- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" +- fi +- +- NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') +- DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" +- "$THUNDERBIRD" -compose "$NEWMAILTO" +- if [ $? -eq 0 ]; then +- exit_success +- else +- exit_failure_operation_failed +- fi +-} +- + open_kde() + { +- if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then +- local kreadconfig=kreadconfig$KDE_SESSION_VERSION +- else +- local kreadconfig=kreadconfig +- fi +- +- if which $kreadconfig >/dev/null 2>&1; then +- local profile=$($kreadconfig --file emaildefaults \ +- --group Defaults --key Profile) +- if [ -n "$profile" ]; then +- local client=$($kreadconfig --file emaildefaults \ +- --group "PROFILE_$profile" \ +- --key EmailClient \ +- | cut -d ' ' -f 1) +- +- if echo "$client" | grep -Eq 'thunderbird|icedove'; then +- run_thunderbird "$client" "$1" +- fi +- fi +- fi +- + local command + case "$KDE_SESSION_VERSION" in + '') command=kmailservice ;; +@@ -135,15 +62,6 @@ open_kde() + + open_gnome3() + { +- local client +- local desktop +- desktop=`xdg-mime query default "x-scheme-handler/mailto"` +- client=`desktop_file_to_binary "$desktop"` +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + if gio help open 2>/dev/null 1>&2; then + DEBUG 1 "Running gio open \"$1\"" + gio open "$1" +@@ -164,13 +82,6 @@ open_gnome3() + + open_gnome() + { +- local client +- client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || "" +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + if gio help open 2>/dev/null 1>&2; then + DEBUG 1 "Running gio open \"$1\"" + gio open "$1" +@@ -236,15 +147,6 @@ open_flatpak() + + open_generic() + { +- local client +- local desktop +- desktop=`xdg-mime query default "x-scheme-handler/mailto"` +- client=`desktop_file_to_binary "$desktop"` +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + xdg-open "$1" + local ret=$? + +@@ -369,21 +271,6 @@ while [ $# -gt 0 ] ; do + shift + ;; + +- --attach) +- if [ -z "$1" ] ; then +- exit_failure_syntax "file argument missing for --attach option" +- fi +- check_input_file "$1" +- file=`readlink -f "$1"` # Normalize path +- if [ -z "$file" ] || [ ! -f "$file" ] ; then +- exit_failure_file_missing "file '$1' does not exist" +- fi +- +- url_encode "$file" +- options="${options}attach=${result}&" +- shift +- ;; +- + -*) + exit_failure_syntax "unexpected option '$parm'" + ;; +-- +2.49.0 + + +From 01a5c1b1a3372d0d6bc35e280800aad51fbbc383 Mon Sep 17 00:00:00 2001 +From: David King +Date: Tue, 13 May 2025 11:01:35 +0100 +Subject: [PATCH 2/2] Remove attach option from documentation + +--- + scripts/desc/xdg-email.xml | 23 ----------------------- + 1 file changed, 23 deletions(-) + +diff --git a/scripts/desc/xdg-email.xml b/scripts/desc/xdg-email.xml +index 3abea2a..84cbe35 100644 +--- a/scripts/desc/xdg-email.xml ++++ b/scripts/desc/xdg-email.xml +@@ -41,7 +41,6 @@ + address + text + text +- file + + mailto-uri + address(es) +@@ -136,20 +135,6 @@ + + + +- +- file +- +- +- Specify an attachment for the e-mail. file +- must point to an existing file. +- +- +- Some e-mail applications require the file to remain present +- after xdg-email returns. +- +- +- +- + + + +@@ -271,14 +256,6 @@ xdg-email 'Jeremy White <jwhite@example.com>' + + + +-xdg-email --attach /tmp/logo.png \ +- --subject 'Logo contest' \ +- --body 'Attached you find the logo for the contest.' \ +- 'jwhite@example.com' +- +- +- +- + xdg-email --subject 'Your password is about to expire' \ + 'jwhite@example.com' 'bastian@example.com' 'whipple@example.com' + +-- +2.49.0 + diff --git a/xdg-utils.spec b/xdg-utils.spec index 37309d9..ce43fc2 100644 --- a/xdg-utils.spec +++ b/xdg-utils.spec @@ -2,7 +2,7 @@ Summary: Basic desktop integration functions Name: xdg-utils Version: 1.1.3 -Release: 11%{?dist} +Release: 13%{?dist} URL: http://portland.freedesktop.org/ %if 0%{?snap:1} @@ -17,6 +17,8 @@ License: MIT # upstream patches Patch0: xdg-utils-1.1.3-upstream-fixes.patch +# https://issues.redhat.com/browse/RHEL-87487 +Patch1: xdg-utils-1.1.3-CVE-2022-4055.patch # make sure BuildArch comes *after* patches, to ensure %%autosetup works right # http://bugzilla.redhat.com/1084309 @@ -92,6 +94,12 @@ make install DESTDIR=%{buildroot} %changelog +* Tue May 13 2025 David King - 1.1.3-13 +- Update documentation for CVE-2022-4055 (RHEL-87487) + +* Fri May 09 2025 David King - 1.1.3-12 +- Fix CVE-2022-4055 (RHEL-87487) + * Tue Nov 23 2021 David King - 1.1.3-11 - Pull in upstream fixes (#1881372) -- Gitee