Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880257 (CVE-2022-45062) - <xfce-base/xfce4-settings-{4.16.4,4.17.1}: argument injection via xdg-open
Summary: <xfce-base/xfce4-settings-{4.16.4,4.17.1}: argument injection via xdg-open
Status: IN_PROGRESS
Alias: CVE-2022-45062
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.xfce.org/xfce/xfce4-se...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 880255 881163
Blocks:
  Show dependency tree
 
Reported: 2022-11-07 20:37 UTC by Michał Górny
Modified: 2022-11-22 16:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 20:37:48 UTC
From changelog:

> Bugfix release on the 4.16 branch, most notably to closes a
vulnerability in xfce4-mime-helper. The related issue will be disclosed
at some later point.
>
> Changelog:
>
> - Escape characters which do not belong into an URI/URL (Issue #390)

The commit is:

https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f34a92a84f96268ad24a7a13fd5edc9f1d526110
Comment 1 Larry the Git Cow gentoo-dev 2022-11-08 13:14:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd49988c5249ebc0d9ef3e2d230679d032dafb94

commit fd49988c5249ebc0d9ef3e2d230679d032dafb94
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-11-08 13:10:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-11-08 13:14:56 +0000

    xfce-base/xfce4-settings: Security cleanup
    
    Bug: https://bugs.gentoo.org/880257
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 xfce-base/xfce4-settings/Manifest                  |  2 -
 .../xfce4-settings/xfce4-settings-4.16.3.ebuild    | 71 ---------------------
 .../xfce4-settings/xfce4-settings-4.17.0.ebuild    | 74 ----------------------
 3 files changed, 147 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-08 19:30:15 UTC
Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-08 19:48:33 UTC
Mailed upstream about making the issue public
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 15:34:16 UTC
A CVE has been released, while upstream says they plan to wait a week before disclosure.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-13 06:34:37 UTC
Apparently the previous fix has introduced a major regression (it broke handling paths with spaces).  I'm going to stabilize a new/better fix but the version ranges for vulnerable versions can remain the same.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 16:26:58 UTC
GLSA request filed