rpms/xdg-utils/devel xdg-utils-1.0.2-CVE-2008-0386.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 xdg-utils.spec, 1.15, 1.16
Lubomir Kundrak (lkundrak)
fedora-extras-commits at redhat.com
Fri Jan 25 14:20:31 UTC 2008
Author: lkundrak
Update of /cvs/pkgs/rpms/xdg-utils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3871/devel
Modified Files:
.cvsignore xdg-utils.spec
Added Files:
xdg-utils-1.0.2-CVE-2008-0386.patch
Log Message:
Fix #429513: CVE-2008-0386 xdg-open allows to execute arbitrary commands
xdg-utils-1.0.2-CVE-2008-0386.patch:
--- NEW FILE xdg-utils-1.0.2-CVE-2008-0386.patch ---
Fix for #429513: CVE-2008-0386 xdg-open allows to execute arbitrary commands
>From upstream:
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37
diff -urp xdg-utils-1.0.2.orig/scripts/xdg-email xdg-utils-1.0.2/scripts/xdg-email
--- xdg-utils-1.0.2.orig/scripts/xdg-email 2007-06-24 21:58:04.000000000 +0200
+++ xdg-utils-1.0.2/scripts/xdg-email 2008-01-25 15:17:51.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
#---------------------------------------------
# xdg-email
#
@@ -435,7 +435,8 @@ open_generic()
for browser in $BROWSER; do
if [ x"$browser" != x"" ]; then
- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
+ IFS=' '
+ browser_with_arg=${browser//'%s'/"$1"}
if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
else $browser_with_arg;
diff -urp xdg-utils-1.0.2.orig/scripts/xdg-open xdg-utils-1.0.2/scripts/xdg-open
--- xdg-utils-1.0.2.orig/scripts/xdg-open 2008-01-25 15:16:43.000000000 +0100
+++ xdg-utils-1.0.2/scripts/xdg-open 2008-01-25 15:17:54.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
#---------------------------------------------
# xdg-open
#
@@ -371,7 +371,8 @@ open_generic()
for browser in $BROWSER; do
if [ x"$browser" != x"" ]; then
- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
+ IFS=' '
+ browser_with_arg=${browser//'%s'/"$1"}
if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
else $browser_with_arg;
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/xdg-utils/devel/.cvsignore,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- .cvsignore 25 Jun 2007 03:24:08 -0000 1.8
+++ .cvsignore 25 Jan 2008 14:19:51 -0000 1.9
@@ -1,5 +1 @@
-clog
-xdg-utils-1.0rc1.tgz
-xdg-utils-1.0.tgz
-xdg-utils-1.0.1.tgz
xdg-utils-1.0.2.tgz
Index: xdg-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xdg-utils/devel/xdg-utils.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- xdg-utils.spec 18 Jan 2008 15:04:48 -0000 1.15
+++ xdg-utils.spec 25 Jan 2008 14:19:51 -0000 1.16
@@ -2,7 +2,7 @@
Summary: Basic desktop integration functions
Name: xdg-utils
Version: 1.0.2
-Release: 3%{?dist}
+Release: 4%{?dist}
URL: http://portland.freedesktop.org/
Source0: http://portland.freedesktop.org/download/xdg-utils-%{version}%{?beta}.tgz
@@ -14,6 +14,7 @@
Patch1: xdg-utils-1.0.2-mimeopen.patch
Patch2: xdg-utils-1.0.1-typo.patch
Patch3: xdg-utils-1.0.1-htmlview.patch
+Patch4: xdg-utils-1.0.2-CVE-2008-0386.patch
Requires: coreutils
Requires: desktop-file-utils
@@ -57,6 +58,7 @@
%patch1 -p1 -b .mimeopen
%patch2 -p1 -b .typo
%patch3 -p1 -b .htmlview
+%patch4 -p1 -b .CVE-2008-0386
%build
@@ -83,6 +85,9 @@
%changelog
+* Fri Jan 25 2008 Lubomir Kundrak <lkundrak at redhat.com> 1.0.2-4
+- Fix for CVE-2008-0386 (#429513)
+
* Fri Jan 18 2008 Rex Dieter <rdieter[AT]fedoraproject.org> 1.0.2-3
- fix mimeopen support (#429280)
- spec cosmetics: cleanup macro usage
More information about the fedora-extras-commits
mailing list