Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 880257 (CVE-2022-45062)

Summary: <xfce-base/xfce4-settings-{4.16.4,4.17.1}: argument injection via xdg-open
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: xfce
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 880255, 881163    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 20:37:48 UTC
From changelog:

> Bugfix release on the 4.16 branch, most notably to closes a
vulnerability in xfce4-mime-helper. The related issue will be disclosed
at some later point.
>
> Changelog:
>
> - Escape characters which do not belong into an URI/URL (Issue #390)

The commit is:

https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f34a92a84f96268ad24a7a13fd5edc9f1d526110
Comment 1 Larry the Git Cow gentoo-dev 2022-11-08 13:14:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd49988c5249ebc0d9ef3e2d230679d032dafb94

commit fd49988c5249ebc0d9ef3e2d230679d032dafb94
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-11-08 13:10:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-11-08 13:14:56 +0000

    xfce-base/xfce4-settings: Security cleanup
    
    Bug: https://bugs.gentoo.org/880257
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 xfce-base/xfce4-settings/Manifest                  |  2 -
 .../xfce4-settings/xfce4-settings-4.16.3.ebuild    | 71 ---------------------
 .../xfce4-settings/xfce4-settings-4.17.0.ebuild    | 74 ----------------------
 3 files changed, 147 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-08 19:30:15 UTC
Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-08 19:48:33 UTC
Mailed upstream about making the issue public
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 15:34:16 UTC
A CVE has been released, while upstream says they plan to wait a week before disclosure.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-13 06:34:37 UTC
Apparently the previous fix has introduced a major regression (it broke handling paths with spaces).  I'm going to stabilize a new/better fix but the version ranges for vulnerable versions can remain the same.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 16:26:58 UTC
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2023-05-03 09:31:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1f9755c1756f9a1b9cf3f200c247a82d5064cc8f

commit 1f9755c1756f9a1b9cf3f200c247a82d5064cc8f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:14:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:46 +0000

    [ GLSA 202305-05 ] xfce4-settings: Browser Argument Injection
    
    Bug: https://bugs.gentoo.org/880257
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)