From 48e9308bf53474e42bda542fe1b600e97c677436 Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Fri, 8 Jul 2022 10:39:38 +0800
Subject: [PATCH] Fix CVE-2022-32278

---
 CVE-2022-32278.ptach | 39 +++++++++++++++++++++++++++++++++++++++
 exo.spec             | 12 ++++++++++--
 2 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2022-32278.ptach

diff --git a/CVE-2022-32278.ptach b/CVE-2022-32278.ptach
new file mode 100644
index 0000000..159aaac
--- /dev/null
+++ b/CVE-2022-32278.ptach
@@ -0,0 +1,39 @@
+From 09c97951e91980e345b274063e3600769172c05f Mon Sep 17 00:00:00 2001
+From: yinyongkang <yinyongkang@kylinos.cn>
+Date: Fri, 8 Jul 2022 10:10:07 +0800
+Subject: [PATCH] exo-open : Only execute local .desktop files
+
+CVE-2022-32278
+
+This patch prevents executing possibly malicious .desktop files
+from online sources (ftp://, http:// etc.).
+
+Original patch authored by Alexander Schwinn <alexxcons@xfce.org>
+---
+ exo-open/main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/exo-open/main.c b/exo-open/main.c
+index a471c78..0176bc3 100644
+--- a/exo-open/main.c
++++ b/exo-open/main.c
+@@ -156,6 +156,16 @@ exo_open_launch_desktop_file (const gchar *arg)
+   if (G_UNLIKELY (gfile == NULL))
+     return FALSE;
+ 
++  /* Only execute local .desktop files to prevent execution of malicious launchers from  foreign locations */
++  if (g_file_has_uri_scheme (gfile, "file") == FALSE)
++    {
++      char *uri = g_file_get_uri (gfile);
++      g_warning ("Execution of remote .desktop file '%s' was skipped due to security concerns.", uri);
++      g_object_unref (gfile);
++      g_free (uri);
++      return FALSE;
++    }
++
+   /* load the contents of the file */
+   result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL);
+   g_object_unref (G_OBJECT (gfile));
+-- 
+2.33.0
+
diff --git a/exo.spec b/exo.spec
index 1fd4dd1..5ba0e1d 100644
--- a/exo.spec
+++ b/exo.spec
@@ -1,7 +1,7 @@
 %global xfceversion 4.16
 Name:           exo
 Version:        4.16.2
-Release:        1
+Release:        2
 Summary:        An extension library to Xfce
 License:        LGPLv2+ and GPLv2+
 #Group:          Development/Libraries
@@ -24,6 +24,9 @@ BuildRequires:  chrpath
 BuildRequires:  desktop-file-utils
 BuildRequires:  gobject-introspection-devel
 
+#patch
+Patch0001: CVE-2022-32278.ptach
+
 %description
 An extension library for Xfce, targeted at application development.
 
@@ -38,6 +41,8 @@ Development tools and static libraries and header files for the exo library.
 
 %prep
 %setup -q
+%patch0001 -p1
+
 
 %build
 %configure --enable-gtk-doc --disable-static
@@ -69,7 +74,10 @@ find %{buildroot} -type f -name "*.la" -exec rm -f {} ';'
 %{_libdir}/lib*.so
 %{_libdir}/pkgconfig/*.pc
 
-%ChangeLog
+%changeLog
+* Fri Jul 8 2022 yinyongkang <yinyongkang@kylinos.cn> - 4.16.2-2
+- Fix CVE-2022-32278
+
 * Wed Jul 28 2021 Wenlong Ding <wenlong.ding@turbolinux.com.cn> - 4.16.2-1
 - Update to 4.16.2