Hi all,if anyone is available, please review my proposed change to xdg-utils to fix several flaws in Debian squeeze's xdg-open script, including CVE-2014-9622, CVE-2015-1877.
As the change backports some functionality from Debian jessie's xdg-open script, I'd appreciate if people tested this package version under LXDE(!). If LXDE is the running desktop session, then the code in open_generic() et al. (which has been changed/backported) gets into action (on Debian squeeze; with later versions of xdg-utils, LXDE is a support/known environment).
The .debdiff is attached. The .dsc file (source package) can be obtained from [1]. Thanks! Mike[1] http://packages.it-zukunft-schule.de/debian/pool/main/x/xdg-utils/xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
-- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
diff -Nru xdg-utils-1.0.2+cvs20100307/debian/changelog xdg-utils-1.0.2+cvs20100307/debian/changelog
--- xdg-utils-1.0.2+cvs20100307/debian/changelog 2010-09-15 13:06:42.000000000 +0200
+++ xdg-utils-1.0.2+cvs20100307/debian/changelog 2015-04-22 16:29:28.000000000 +0200
@@ -1,3 +1,18 @@
+xdg-utils (1.0.2+cvs20100307-2+deb6u1) squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by Debian LTS Team.
+ * debian/patches:
+ + Add backport-jessie-open-generic-xdg-mime-function.diff.
+ Backport open_generic(), open_generic_xdg_x_scheme_handler(),
+ open_generic_xdg_file_mime() and open_generic_xdg_mime() functions
+ from xdg-utils 1.1.0~rc1+git20111210-7.4 (as found in Debian 8.0).
+ Closes: #777722, #773085, #654863, #652067.
+ Fixes: CVE-2014-9622, CVE-2015-1877.
+ + Drop run-mailcap-decode.diff. Included in patch file
+ backport-jessie-open-generic-xdg-mime-function.diff.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 22 Apr 2015 14:50:36 +0200
+
xdg-utils (1.0.2+cvs20100307-2) unstable; urgency=low
* Add patch xdg-email-mawk-support.diff: Fix bug in awk script
diff -Nru xdg-utils-1.0.2+cvs20100307/debian/patches/backport-jessie-open-generic-xdg-mime-function.diff xdg-utils-1.0.2+cvs20100307/debian/patches/backport-jessie-open-generic-xdg-mime-function.diff
--- xdg-utils-1.0.2+cvs20100307/debian/patches/backport-jessie-open-generic-xdg-mime-function.diff 1970-01-01 01:00:00.000000000 +0100
+++ xdg-utils-1.0.2+cvs20100307/debian/patches/backport-jessie-open-generic-xdg-mime-function.diff 2015-04-22 16:55:53.000000000 +0200
@@ -0,0 +1,142 @@
+Author: Maintainers of xdg-utils in Debian jessie
+Description: Backport open_generic() and related functions to Debian squeeze (LTS)
+Abstract:
+ The code has been take from xdg-utils in Debian 8.0 (1.1.0~rc1+git20111210-7.4.
+
+--- a/scripts/xdg-open
++++ b/scripts/xdg-open
+@@ -380,7 +380,8 @@
+
+ open_generic_xdg_mime()
+ {
+- filetype=`xdg-mime query filetype "$1" | sed "s/;.*//"`
++ target="$1"
++ filetype="$2"
+ default=`xdg-mime query default "$filetype"`
+ if [ -n "$default" ] ; then
+ xdg_user_dir="$XDG_DATA_HOME"
+@@ -389,13 +390,46 @@
+ xdg_system_dirs="$XDG_DATA_DIRS"
+ [ -n "$xdg_system_dirs" ] || xdg_system_dirs=/usr/local/share/:/usr/share/
+
++DEBUG 3 "$xdg_user_dir:$xdg_system_dirs"
+ for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do
+- file="$x/applications/$default"
+- if [ -r "$file" ] ; then
+- command="`grep -E "^Exec(\[[^]=]*])?=" "$file" | cut -d= -f 2- | first_word`"
+- command_exec=`which $command 2>/dev/null`
++ local desktop_file
++ # look for both vendor-app.desktop, vendor/app.desktop
++ if [ -r "$x/applications/$default" ]; then
++ desktop_file="$x/applications/$default"
++ elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then
++ desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`"
++ fi
++
++ if [ -r "$desktop_file" ] ; then
++ set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file")
++ command_exec="$(which "$1" 2> /dev/null)"
+ if [ -x "$command_exec" ] ; then
+- $command_exec $1
++ shift
++ # We need to replace any occurrence of "%f", "%F" and
++ # the like by the target file. We examine each
++ # argument and append the modified argument to the
++ # end then shift.
++ args=$#
++ replaced=0
++ while [ $args -gt 0 ]; do
++ case $1 in
++ %[fFuU])
++ replaced=1
++ arg="$target"
++ shift
++ set -- "$@" "$arg"
++ ;;
++ *)
++ arg="$1"
++ shift
++ set -- "$@" "$arg"
++ ;;
++ esac
++ args=$(( $args - 1 ))
++ done
++ [ $replaced -eq 1 ] || set -- "$@" "$target"
++ "$command_exec" "$@"
++
+ if [ $? -eq 0 ]; then
+ exit_success
+ fi
+@@ -405,20 +439,50 @@
+ fi
+ }
+
++open_generic_xdg_file_mime()
++{
++ filetype=`xdg-mime query filetype "$1" | sed "s/;.*//"`
++ open_generic_xdg_mime "$1" "$filetype"
++}
++
++open_generic_xdg_x_scheme_handler()
++{
++ scheme="`echo $1 | sed -n 's/\(^[[:alnum:]+\.-]*\):.*$/\1/p'`"
++ if [ -n $scheme ]; then
++ filetype="x-scheme-handler/$scheme"
++ open_generic_xdg_mime "$1" "$filetype"
++ fi
++}
++
+ open_generic()
+ {
+ # Paths or file:// URLs
+ if (echo "$1" | grep -q '^file://' ||
+- ! echo "$1" | egrep -q '^[a-zA-Z+\.\-]+:'); then
++ ! echo "$1" | egrep -q '^[[:alpha:]+\.\-]+:'); then
+
+- local file=$(echo "$1" | sed 's%^file://%%')
++ local file="$1"
+
+ # Decode URLs
+- # TODO
+-
++ if echo "$file" | grep -q '^file:///'; then
++ file=${file#file://}
++ local printf=printf
++ if [ -x /usr/bin/printf ]; then
++ printf=/usr/bin/printf
++ fi
++ file="$($printf "$(echo "$file" | sed -e 's@%\([a-f0-9A-F]\{2\}\)@\\x\1@g')")"
++ fi
+ check_input_file "$file"
+
+- open_generic_xdg_mime "$file"
++ if [ -n "$DISPLAY" ]; then
++ open_generic_xdg_file_mime "$file"
++
++ if mimeopen -v 2>/dev/null 1>&2; then
++ mimeopen -L -n "$file"
++ if [ $? -eq 0 ]; then
++ exit_success
++ fi
++ fi
++ fi
+
+ if [ -f /etc/debian_version ] &&
+ which run-mailcap 2>/dev/null 1>&2; then
+@@ -427,13 +491,10 @@
+ exit_success
+ fi
+ fi
++ fi
+
+- if mimeopen -v 2>/dev/null 1>&2; then
+- mimeopen -n "$file"
+- if [ $? -eq 0 ]; then
+- exit_success
+- fi
+- fi
++ if [ -n "$DISPLAY" ]; then
++ open_generic_xdg_x_scheme_handler "$1"
+ fi
+
+ sensible-browser "$1"
diff -Nru xdg-utils-1.0.2+cvs20100307/debian/patches/run-mailcap-decode.diff xdg-utils-1.0.2+cvs20100307/debian/patches/run-mailcap-decode.diff
--- xdg-utils-1.0.2+cvs20100307/debian/patches/run-mailcap-decode.diff 2010-09-15 12:43:29.000000000 +0200
+++ xdg-utils-1.0.2+cvs20100307/debian/patches/run-mailcap-decode.diff 1970-01-01 01:00:00.000000000 +0100
@@ -1,18 +0,0 @@
---- a/scripts/xdg-open
-+++ b/scripts/xdg-open
-@@ -411,10 +411,13 @@ open_generic()
- if (echo "$1" | grep -q '^file://' ||
- ! echo "$1" | egrep -q '^[a-zA-Z+\.\-]+:'); then
-
-- local file=$(echo "$1" | sed 's%^file://%%')
-+ local file="$1"
-
- # Decode URLs
-- # TODO
-+ if echo "$file" | grep -q '^file:///'; then
-+ file=${file#file://}
-+ file=$(echo "$file" | perl -pe 's/%(..)/pack("c", hex($1))/eg')
-+ fi
-
- check_input_file "$file"
-
diff -Nru xdg-utils-1.0.2+cvs20100307/debian/patches/series xdg-utils-1.0.2+cvs20100307/debian/patches/series
--- xdg-utils-1.0.2+cvs20100307/debian/patches/series 2010-09-15 12:43:29.000000000 +0200
+++ xdg-utils-1.0.2+cvs20100307/debian/patches/series 2015-04-22 16:28:50.000000000 +0200
@@ -1,3 +1,3 @@
xdg-email-mawk-support.diff
sensible-browser.diff
-run-mailcap-decode.diff
+backport-jessie-open-generic-xdg-mime-function.diff
Attachment:
pgpJ0XTXYdcV9.pgp
Description: Digitale PGP-Signatur