880257 – (CVE-2022-45062) <xfce-base/xfce4-settings-{4.16.4,4.17.1}: argument injection via xdg-open

Bug 880257 (CVE-2022-45062) - <xfce-base/xfce4-settings-{4.16.4,4.17.1}: argument injection via xdg-open

Summary: <xfce-base/xfce4-settings-{4.16.4,4.17.1}: argument injection via xdg-open

Status:	RESOLVED FIXED

Alias:	CVE-2022-45062

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://gitlab.xfce.org/xfce/xfce4-se...
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:	880255 881163
Blocks:
	Show dependency tree

Reported:	2022-11-07 20:37 UTC by Michał Górny
Modified:	2023-07-04 14:52 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-11-07 20:37:48 UTC

From changelog:

> Bugfix release on the 4.16 branch, most notably to closes a
vulnerability in xfce4-mime-helper. The related issue will be disclosed
at some later point.
>
> Changelog:
>
> - Escape characters which do not belong into an URI/URL (Issue #390)

The commit is:

https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f34a92a84f96268ad24a7a13fd5edc9f1d526110

Comment 1 Larry the Git Cow gentoo-dev

2022-11-08 13:14:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd49988c5249ebc0d9ef3e2d230679d032dafb94

commit fd49988c5249ebc0d9ef3e2d230679d032dafb94
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-11-08 13:10:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-11-08 13:14:56 +0000

    xfce-base/xfce4-settings: Security cleanup
    
    Bug: https://bugs.gentoo.org/880257
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 xfce-base/xfce4-settings/Manifest                  |  2 -
 .../xfce4-settings/xfce4-settings-4.16.3.ebuild    | 71 ---------------------
 .../xfce4-settings/xfce4-settings-4.17.0.ebuild    | 74 ----------------------
 3 files changed, 147 deletions(-)

Comment 2 John Helmert III archtester

2022-11-08 19:30:15 UTC

Thanks!

Comment 3 John Helmert III archtester

2022-11-08 19:48:33 UTC

Mailed upstream about making the issue public

Comment 4 John Helmert III archtester

2022-11-09 15:34:16 UTC

A CVE has been released, while upstream says they plan to wait a week before disclosure.

Comment 5 Michał Górny archtester

2022-11-13 06:34:37 UTC

Apparently the previous fix has introduced a major regression (it broke handling paths with spaces).  I'm going to stabilize a new/better fix but the version ranges for vulnerable versions can remain the same.

Comment 6 John Helmert III archtester

2022-11-22 16:26:58 UTC

GLSA request filed

Comment 7 Larry the Git Cow gentoo-dev

2023-05-03 09:31:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1f9755c1756f9a1b9cf3f200c247a82d5064cc8f

commit 1f9755c1756f9a1b9cf3f200c247a82d5064cc8f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:14:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:46 +0000

    [ GLSA 202305-05 ] xfce4-settings: Browser Argument Injection
    
    Bug: https://bugs.gentoo.org/880257
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)