Options for fixing Thunar security issue in testing

To: debian-release@lists.debian.org
Subject: Options for fixing Thunar security issue in testing
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 13 May 2021 19:13:12 +0200
Message-id: <[🔎] 98f0b6bd9afc8d7b237650c81327121d9205a672.camel@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi release team,

a security bug (#988394) was recently found in Thunar 4.16. The fix went in
4.16.7, then a regression was identified and fixed in 4.16.8.

Testing has 4.16.3, while sid has 4.16.4 (I missed the deadline by a few days
back in time).

I think it'd be best to update sid and testing to 4.16.8, but since we're
already quite deep in the freeze I can understand it'd be a problem.

The complete diff looks like this:

corsac@scapa: git diff  thunar-4.16.3..thunar-4.16.8 |filterdiff -x "*/po/*.po" |diffstat
 NEWS                                    |   43 ++++++++++++++++++++++++++++++++++
 configure.ac.in                         |    2 -
 docs/reference/thunarx/Makefile.am      |   25 ++++----------------
 docs/reference/thunarx/thunarx-docs.xml |   92 ++++++++++++++++++++++++--------------------------------------------------
 thunar/thunar-application.c             |   91 +++++++++++++++++++++++++++++++++++++++++++++++++------------------------
 thunar/thunar-application.h             |    9 ++++++-
 thunar/thunar-dbus-service.c            |    2 -
 thunar/thunar-device-monitor.c          |    5 ++--
 thunar/thunar-gtk-extensions.c          |   18 +++++++++++---
 thunar/thunar-job.c                     |    6 ++--
 thunar/thunar-launcher.c                |   10 ++++----
 thunar/thunar-shortcuts-model.c         |  138 ++++++++++++++++-----------------------------------------------------------------------------------------------
 thunar/thunar-shortcuts-view.c          |    4 +--
 thunar/thunar-standard-view.c           |    2 -
 thunar/thunar-transfer-job.c            |    2 -
 thunar/thunar-tree-view.c               |    8 ++++--
 thunar/thunar-window.c                  |   31 ++++++++++++++++++------
 thunar/thunar-window.h                  |    7 ++++-
 18 files changed, 235 insertions(+), 260 deletions(-)

so it's not huge, but it's also not that small either.

The security fix + regression fix are three commits (smaller obviously) but
I'm unsure yet if it'll be enough to backport to 4.16.3.

I'll upload 4.16.8 to sid anyway so we have some unstable exposure, but I'd
welcome a hint in a direction which would be acceptable for the release team.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmCdXigACgkQ3rYcyPpX
RFsVIwgAkx6B4fq7FIk3ilCj5bu4Gx1dz9thFZ07XtCmhST/HDF82I/nxEpKlrCk
ysGwbSju/dsI9ViNZ1EClhDHCRTCkmxEqYzhCzUJU3MSQnuGp0i+1TkcD6Fpp4RJ
JssbLxZXbPivTVDRPArR6EN4m8OIS6uvyHkUAk9RSuiegXKjAW55fQbS7uNsGPl0
UIQ1lvOkNfVHdBhgxwufdknDosND3RBtCut3Xe1cIFfHqyS/re0bKFLrLWmC5aJW
hmjaYoXDwQ1n3vBisbA7RUY22ev92HGO/NDlRYOf5GF1IQ41VJEdY/eYoC4w3mW3
YQMEJD8VsEwJZM53jlOqQQDtje3zvQ==
=TDO9
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Options for fixing Thunar security issue in testing
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#988473: unblock: gnome-sound-recorder/3.38.1-1
Next by Date: Re: Options for fixing Thunar security issue in testing
Previous by thread: Bug#988473: marked as done (unblock: gnome-sound-recorder/3.38.1-1)
Next by thread: Re: Options for fixing Thunar security issue in testing
Index(es):
- Date
- Thread