Description: "When called with a regular file as command line argument, Thunar would delegate to some other program without user confirmation based on the file type. This could be exploited to trigger code execution in a chain of vulnerabilities. This is fixed in 4.16.7 and 4.17.2. When called with a regular file, Thunar now opens the containing directory and selects the file. A CVE ID has been requested. Reference: https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b Note: the fix introduced a regression which is fixed in 4.16.8 and 4.17.3. https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Gabriel"
Can we stable 4.16.8 (or, unlikely, 4.17.3)?
Sure, let's do it.
x86 done
amd64 done
arm done
ppc done
ppc64 done
arm64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a44a5e315a6bd08d50edf26134b8b38e880557ad commit a44a5e315a6bd08d50edf26134b8b38e880557ad Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-05-13 19:24:39 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-05-13 19:31:40 +0000 xfce-base/thunar: Remove old Bug: https://bugs.gentoo.org/789396 Signed-off-by: Michał Górny <mgorny@gentoo.org> xfce-base/thunar/Manifest | 4 -- xfce-base/thunar/thunar-4.16.6.ebuild | 76 ----------------------------------- xfce-base/thunar/thunar-4.16.7.ebuild | 76 ----------------------------------- xfce-base/thunar/thunar-4.17.1.ebuild | 76 ----------------------------------- xfce-base/thunar/thunar-4.17.2.ebuild | 76 ----------------------------------- 5 files changed, 308 deletions(-)
Unable to check for sanity: > no match for package: xfce-base/thunar-4.16.8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=250c9b32b3a14eab714b691afb47b9c52cb12946 commit 250c9b32b3a14eab714b691afb47b9c52cb12946 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-18 10:48:22 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-18 10:48:43 +0000 [ GLSA 202402-20 ] Thunar: Arbitrary Code Execution Bug: https://bugs.gentoo.org/789396 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-20.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)