From 6ab57ffd4cbfeb4dda8e43451c4cd09d8e61f328 Mon Sep 17 00:00:00 2001
From: dwl301 <wenlong.ding@turbolinux.com.cn>
Date: Thu, 10 Nov 2022 14:57:29 +0800
Subject: [PATCH] fix CVE-2022-45062

---
 fix_CVE-2022-45062.patch | 71 ++++++++++++++++++++++++++++++++++++++++
 xfce4-settings.spec      |  7 +++-
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 fix_CVE-2022-45062.patch

diff --git a/fix_CVE-2022-45062.patch b/fix_CVE-2022-45062.patch
new file mode 100644
index 0000000..8ca3444
--- /dev/null
+++ b/fix_CVE-2022-45062.patch
@@ -0,0 +1,71 @@
+diff -up xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c.BAK xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c
+--- xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c.BAK	2022-11-10 14:46:34.496823705 +0800
++++ xfce4-settings-4.16.0/dialogs/mime-settings/xfce-mime-helper.c	2022-11-10 14:51:50.390633576 +0800
+@@ -375,7 +375,7 @@ xfce_mime_helper_execute (XfceMimeHelper
+   gint          status;
+   gint          result;
+   gint          pid;
+-  const gchar  *real_parameter = parameter;
++  gchar        *real_parameter = NULL;
+ 
+   // FIXME: startup-notification
+ 
+@@ -387,23 +387,44 @@ xfce_mime_helper_execute (XfceMimeHelper
+   if (G_UNLIKELY (screen == NULL))
+     screen = gdk_screen_get_default ();
+ 
+-  /* strip the mailto part if needed */
+-  if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:"))
+-    real_parameter = parameter + 7;
++  if (parameter != NULL)
++  {
++    if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER)
++      {
++        /* escape characters which do not belong into an URI/URL */
++        real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE);
++      }
++    else if (g_str_has_prefix (real_parameter, "mailto:"))
++      {
++        /* strip the mailto part if needed */
++        real_parameter = g_strdup (parameter + 7);
++      }
++    else
++      {
++        real_parameter = g_strdup (parameter);
++      }
++  }
+ 
+   /* determine the command set to use */
+-  if (exo_str_is_flag (real_parameter)) {
++  if (exo_str_is_flag (real_parameter))
++  {
+     commands = helper->commands_with_flag;
+-  } else if (exo_str_is_empty (real_parameter)) {
++  }
++  else if (exo_str_is_empty (real_parameter))
++  {
+     commands = helper->commands;
+-  } else {
++  }
++  else
++  {
+     commands = helper->commands_with_parameter;
+   }
+ 
++
+   /* verify that we have atleast one command */
+   if (G_UNLIKELY (*commands == NULL))
+     {
+       g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified"));
++      g_free (real_parameter);
+       return FALSE;
+     }
+ 
+@@ -493,6 +514,7 @@ xfce_mime_helper_execute (XfceMimeHelper
+   if (G_UNLIKELY (!succeed))
+     g_propagate_error (error, err);
+ 
++  g_free (real_parameter);
+   return succeed;
+ }
+ 
diff --git a/xfce4-settings.spec b/xfce4-settings.spec
index aa247ad..1d800b6 100644
--- a/xfce4-settings.spec
+++ b/xfce4-settings.spec
@@ -2,7 +2,7 @@
 
 Name:           xfce4-settings
 Version:        4.16.0
-Release:        1
+Release:        2
 Summary:        Settings Manager for Xfce
 
 License:        GPLv2+
@@ -10,6 +10,7 @@ URL:            http://www.xfce.org/
 Source0:        http://archive.xfce.org/src/xfce/%{name}/%{xfceversion}/%{name}-%{version}.tar.bz2
 # theme and font settings
 Patch10:        xfce4-settings-4.14.patch
+Patch11:	fix_CVE-2022-45062.patch
 
 BuildRequires:  make
 BuildRequires:  gcc-c++
@@ -35,6 +36,7 @@ This package includes the settings manager applications for the Xfce desktop.
 %prep
 %setup -q
 %patch10
+%patch11 -p1
 
 
 %build
@@ -77,6 +79,9 @@ done
 %{_datadir}/xfce4/helpers/*.desktop
 
 %changelog
+* Thu Nov 10 2022 Wenlong Ding <wenlong.ding@turbolinux.com.cn> - 4.16.0-2
+- Fix CVE-2022-45062
+
 * Fri Jun 18 2021 zhanglin <lin.zhang@turbolinux.com.cn> - 4.16.0-1
 - Update to 4.16.0
 
-- 
Gitee