From changelog: > Bugfix release on the 4.16 branch, most notably to closes a vulnerability in xfce4-mime-helper. The related issue will be disclosed at some later point. > > Changelog: > > - Escape characters which do not belong into an URI/URL (Issue #390) The commit is: https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f34a92a84f96268ad24a7a13fd5edc9f1d526110
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd49988c5249ebc0d9ef3e2d230679d032dafb94 commit fd49988c5249ebc0d9ef3e2d230679d032dafb94 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-11-08 13:10:51 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-11-08 13:14:56 +0000 xfce-base/xfce4-settings: Security cleanup Bug: https://bugs.gentoo.org/880257 Signed-off-by: Michał Górny <mgorny@gentoo.org> xfce-base/xfce4-settings/Manifest | 2 - .../xfce4-settings/xfce4-settings-4.16.3.ebuild | 71 --------------------- .../xfce4-settings/xfce4-settings-4.17.0.ebuild | 74 ---------------------- 3 files changed, 147 deletions(-)
Thanks!
Mailed upstream about making the issue public
A CVE has been released, while upstream says they plan to wait a week before disclosure.
Apparently the previous fix has introduced a major regression (it broke handling paths with spaces). I'm going to stabilize a new/better fix but the version ranges for vulnerable versions can remain the same.
GLSA request filed