Bug#777722: xdg-utils: diff for NMU version 1.1.0~rc1+git20111210-7.4

Fri, 20 Feb 2015 07:53:39 -0800 

Control: tags 777722 + pending

Dear maintainer,

I've prepared an NMU for xdg-utils (versioned as 1.1.0~rc1+git20111210-7.4) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2015-01-10 16:22:21.000000000 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2015-02-20 16:28:35.000000000 +0100
@@ -1,3 +1,13 @@
+xdg-utils (1.1.0~rc1+git20111210-7.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add CVE-2015-1877.patch patch.
+    CVE-2015-1877: Command injection vulnerability due to local variables
+    collision.
+    Thanks to Jiri Horner <laeq...@gmail.com> (Closes: #777722)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Fri, 20 Feb 2015 16:24:18 +0100
+
 xdg-utils (1.1.0~rc1+git20111210-7.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch	1970-01-01 01:00:00.000000000 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch	2015-02-20 16:28:35.000000000 +0100
@@ -0,0 +1,33 @@
+Description: CVE-2015-1877: Command injection vulnerability due to local variables collision
+Origin: vendor
+Bug: https://bugs.freedesktop.org/89129
+Bug-Debian: https://bugs.debian.org/777722
+Forwarded: yes, https://bugs.freedesktop.org/show_bug.cgi?id=89129
+Author: Jiri Horner <laeq...@gmail.com>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2015-02-20
+
+--- a/scripts/xdg-open.in
++++ b/scripts/xdg-open.in
+@@ -128,16 +128,16 @@ open_generic_xdg_mime()
+ 
+ DEBUG 3 "$xdg_user_dir:$xdg_system_dirs"
+         for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do
+-            local file
++            local desktop_file
+             # look for both vendor-app.desktop, vendor/app.desktop
+             if [ -r "$x/applications/$default" ]; then
+-              file="$x/applications/$default"
++              desktop_file="$x/applications/$default"
+             elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then
+-              file="$x/applications/`echo $default | sed -e 's|-|/|'`"
++              desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`"
+             fi
+ 
+-            if [ -r "$file" ] ; then
+-                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file")
++            if [ -r "$desktop_file" ] ; then
++                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file")
+                 command_exec="$(which "$1" 2> /dev/null)"
+                 if [ -x "$command_exec" ] ; then
+                     shift
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2015-01-10 16:20:40.000000000 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2015-02-20 16:28:35.000000000 +0100
@@ -9,3 +9,4 @@
 fix-bashism-use-of-echo.patch
 command-injection.patch
 xdg-open-safe.diff
+CVE-2015-1877.patch

Reply via email to