Fix CVE-2022-32278

2022-07-08 10:39:38 +08:00 · 2022-07-08 10:39:38 +08:00 · 48e9308bf5
commit 48e9308bf5
parent 3827acacc1
2 changed files with 49 additions and 2 deletions
--- a/CVE-2022-32278.ptach
+++ b/CVE-2022-32278.ptach
@ -0,0 +1,39 @@
+From 09c97951e91980e345b274063e3600769172c05f Mon Sep 17 00:00:00 2001
+From: yinyongkang <yinyongkang@kylinos.cn>
+Date: Fri, 8 Jul 2022 10:10:07 +0800
+Subject: [PATCH] exo-open : Only execute local .desktop files
+
+CVE-2022-32278
+
+This patch prevents executing possibly malicious .desktop files
+from online sources (ftp://, http:// etc.).
+
+Original patch authored by Alexander Schwinn <alexxcons@xfce.org>
+---
+ exo-open/main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/exo-open/main.c b/exo-open/main.c
+index a471c78..0176bc3 100644
+--- a/exo-open/main.c
+++ b/exo-open/main.c
+@@ -156,6 +156,16 @@ exo_open_launch_desktop_file (const gchar *arg)
+   if (G_UNLIKELY (gfile == NULL))
+     return FALSE;
+ 
+  /* Only execute local .desktop files to prevent execution of malicious launchers from  foreign locations */
+  if (g_file_has_uri_scheme (gfile, "file") == FALSE)
+    {
+      char *uri = g_file_get_uri (gfile);
+      g_warning ("Execution of remote .desktop file '%s' was skipped due to security concerns.", uri);
+      g_object_unref (gfile);
+      g_free (uri);
+      return FALSE;
+    }
+
+   /* load the contents of the file */
+   result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL);
+   g_object_unref (G_OBJECT (gfile));
+-- 
+2.33.0
+
--- a/exo.spec
+++ b/exo.spec
@ -1,7 +1,7 @@
 %global xfceversion 4.16
 Name:           exo
 Version:        4.16.2
-Release:        1
+Release:        2
 Summary:        An extension library to Xfce
 License:        LGPLv2+ and GPLv2+
 #Group:          Development/Libraries
@ -24,6 +24,9 @@ BuildRequires:  chrpath
 BuildRequires:  desktop-file-utils
 BuildRequires:  gobject-introspection-devel

+#patch
+Patch0001: CVE-2022-32278.ptach
+
 %description
 An extension library for Xfce, targeted at application development.

@ -38,6 +41,8 @@ Development tools and static libraries and header files for the exo library.

 %prep
 %setup -q
+%patch0001 -p1
+

 %build
 %configure --enable-gtk-doc --disable-static
@ -69,7 +74,10 @@ find %{buildroot} -type f -name "*.la" -exec rm -f {} ';'
 %{_libdir}/lib*.so
 %{_libdir}/pkgconfig/*.pc

-%ChangeLog
+%changeLog
+* Fri Jul 8 2022 yinyongkang <yinyongkang@kylinos.cn> - 4.16.2-2
+- Fix CVE-2022-32278
+
 * Wed Jul 28 2021 Wenlong Ding <wenlong.ding@turbolinux.com.cn> - 4.16.2-1
 - Update to 4.16.2