commit: 7bd2438f79a7c4760badc08d76469d798d39ea4a
Author: Brett A C Sheffield <bacs <AT> librecast <DOT> net>
AuthorDate: Fri Mar 13 08:51:20 2026 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 14 18:59:02 2026 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bd2438f
x11-misc/xdg-utils: fix CVE-2020-27748, revbump
Apply upstream patch for CVE-2020-27748:
5f3f563d69ae ("Fix CVE-2020-27748 by paasing attachments seperately")
Bug: https://bugs.gentoo.org/756838
Signed-off-by: Brett A C Sheffield <bacs <AT> librecast.net>
Part-of: https://codeberg.org/gentoo/gentoo/pulls/302
Merges: https://codeberg.org/gentoo/gentoo/pulls/302
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/xdg-utils-1.2.1-fix-CVE-2020-27748.patch | 200 +++++++++++++++++++++
x11-misc/xdg-utils/xdg-utils-1.2.1-r10.ebuild | 103 +++++++++++
2 files changed, 303 insertions(+)
diff --git a/x11-misc/xdg-utils/files/xdg-utils-1.2.1-fix-CVE-2020-27748.patch
b/x11-misc/xdg-utils/files/xdg-utils-1.2.1-fix-CVE-2020-27748.patch
new file mode 100644
index 000000000000..faff8179b82e
--- /dev/null
+++ b/x11-misc/xdg-utils/files/xdg-utils-1.2.1-fix-CVE-2020-27748.patch
@@ -0,0 +1,200 @@
+https://bugs.gentoo.org/756838
+https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/5f3f563d69ae72bbefe9031c68d8167935abcba5
+
+From 5f3f563d69ae72bbefe9031c68d8167935abcba5 Mon Sep 17 00:00:00 2001
+From: Slatian <[email protected]>
+Date: Sat, 14 Oct 2023 13:14:44 +0200
+Subject: [PATCH] Fix CVE-2020-27748 by paasing attachments seperately
+
+---
+ scripts/xdg-email.in | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
+index 4e3a5e8..6d83b0a 100644
+--- a/scripts/xdg-email.in
++++ b/scripts/xdg-email.in
+@@ -30,11 +30,14 @@ _USAGE
+
+ #@xdg-utils-common@
+
++# (thunderbird_binary, mailto_uri, attached_files)
+ run_thunderbird()
+ {
+ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
+ THUNDERBIRD="$1"
+ MAILTO="$(echo "$2" | sed 's/^mailto://')"
++ ATTACH="$3"
++
+ echo "$MAILTO" | grep -qs "^?"
+ if [ "$?" = "0" ] ; then
+ MAILTO="$(echo "$MAILTO" | sed 's/^?//')"
+@@ -48,7 +51,6 @@ run_thunderbird()
+ BCC="$(/bin/echo -e "$(echo "$MAILTO" | grep '^bcc=' | sed
's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')")"
+ SUBJECT="$(echo "$MAILTO" | grep '^subject=' | tail -n 1)"
+ BODY="$(echo "$MAILTO" | grep '^body=' | tail -n 1)"
+- ATTACH="$(/bin/echo -e "$(echo "$MAILTO" | grep '^attach=' | sed
's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')")"
+
+ if [ -z "$TO" ] ; then
+ NEWMAILTO=
+@@ -82,6 +84,7 @@ run_thunderbird()
+ fi
+ }
+
++# (mailto, attach)
+ open_kde()
+ {
+ local kreadconfig profile client
+@@ -104,7 +107,7 @@ open_kde()
+ fi
+
+ if echo "$client" | grep -Eq 'thunderbird|icedove'; then
+- run_thunderbird "$client" "$1"
++ run_thunderbird "$client" "$1" "$2"
+ fi
+ fi
+ fi
+@@ -137,6 +140,7 @@ open_kde()
+ fi
+ }
+
++# (mailto, attach)
+ open_gnome3()
+ {
+ local client
+@@ -144,7 +148,7 @@ open_gnome3()
+ desktop="$(xdg-mime query default "x-scheme-handler/mailto")"
+ client="$(desktop_file_to_binary "$desktop")"
+ case "$client" in *thunderbird*|*icedove*)
+- run_thunderbird "$client" "$1"
++ run_thunderbird "$client" "$1" "$2"
+ esac
+
+ if gio help open 2>/dev/null 1>&2; then
+@@ -165,12 +169,13 @@ open_gnome3()
+ fi
+ }
+
++# (mailto, attach)
+ open_gnome()
+ {
+ local client
+ client="$(gconftool-2 --get /desktop/gnome/url-handlers/mailto/command |
cut -d ' ' -f 1)"
+ case "$client" in *thunderbird*|*icedove*)
+- run_thunderbird "$client" "$1"
++ run_thunderbird "$client" "$1" "$2"
+ esac
+
+ if gio help open 2>/dev/null 1>&2; then
+@@ -191,7 +196,7 @@ open_gnome()
+ fi
+ }
+
+-
++# (mailto, attach)
+ open_lxqt()
+ {
+ local client
+@@ -200,7 +205,7 @@ open_lxqt()
+ client="$(desktop_file_to_binary "$desktop")"
+ echo "$client" | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+ if [ $? -eq 0 ] ; then
+- run_thunderbird "$client" "$1"
++ run_thunderbird "$client" "$1" "$2"
+ fi
+
+ if qtxdg-mat open --help 2>/dev/null 1>&2; then
+@@ -261,6 +266,7 @@ open_flatpak()
+ fi
+ }
+
++# (mailto, attach)
+ open_generic()
+ {
+ local client
+@@ -268,7 +274,7 @@ open_generic()
+ desktop="$(xdg-mime query default "x-scheme-handler/mailto")"
+ client="$(desktop_file_to_binary "$desktop")"
+ case "$client" in *thunderbird*|*icedove*)
+- run_thunderbird "$client" "$1"
++ run_thunderbird "$client" "$1" "$2"
+ esac
+
+ xdg-open "$1"
+@@ -317,6 +323,8 @@ LC_ALL="$ORIG_LC_ALL"
+
+ options=
+ mailto=
++# attach is a comma seperated list of url encoded filenames
++attach=
+ utf8="iconv -t utf8"
+ while [ $# -gt 0 ] ; do
+ parm="$1"
+@@ -383,7 +391,7 @@ while [ $# -gt 0 ] ; do
+ fi
+
+ url_encode "$file"
+- options="${options}attach=${result}&"
++ attach="${attach}${attach:+,}${result}"
+ shift
+ ;;
+
+@@ -436,7 +444,7 @@ mailto="$(echo "${mailto}"| sed 's/[?&]$//')"
+ [ x"${mailto}" != x"" ] || exit_failure_syntax
+
+ if command -v @[email protected] > /dev/null; then
+- @[email protected] "${mailto}"
++ @[email protected] "${mailto}" "$attach"
+ if [ $? -eq 0 ]; then
+ exit_success
+ else
+@@ -456,35 +464,41 @@ fi
+
+ case "$DE" in
+ envvar)
++ [ -z "$attach" ] || \
++ exit_failure_operation_impossible "Unable to use --attach with
the MAILER envoirnment variable"
+ open_envvar "${mailto}"
+ ;;
+
+ kde)
+- open_kde "${mailto}"
++ open_kde "${mailto}" "$attach"
+ ;;
+
+ gnome)
+- open_gnome "${mailto}"
++ open_gnome "${mailto}" "$attach"
+ ;;
+
+ gnome3|cinnamon|lxde|mate|deepin)
+- open_gnome3 "${mailto}"
++ open_gnome3 "${mailto}" "$attach"
+ ;;
+
+ lxqt)
+- open_lxqt "${mailto}"
++ open_lxqt "${mailto}" "$attach"
+ ;;
+
+ xfce)
++ [ -z "$attach" ] || \
++ exit_failure_operation_impossible "Unable to use --attach with
the Xfce opener"
+ open_xfce "${mailto}"
+ ;;
+
+ flatpak)
++ [ -z "$attach" ] || \
++ exit_failure_operation_impossible "Unable to use --attach from
inside a flatpak"
+ open_flatpak "${mailto}"
+ ;;
+
+ generic|enlightenment)
+- open_generic "${mailto}"
++ open_generic "${mailto}" "$attach"
+ ;;
+
+ *)
+--
+2.52.0
+
diff --git a/x11-misc/xdg-utils/xdg-utils-1.2.1-r10.ebuild
b/x11-misc/xdg-utils/xdg-utils-1.2.1-r10.ebuild
new file mode 100644
index 000000000000..7dce77453577
--- /dev/null
+++ b/x11-misc/xdg-utils/xdg-utils-1.2.1-r10.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="Portland utils for cross-platform/cross-toolkit/cross-desktop
interoperability"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/xdg-utils/";
+if [[ ${PV} == *_p* ]] ; then
+ MY_COMMIT="d4f00e1d803038af4f245949d8c747a384117852"
+
SRC_URI="https://gitlab.freedesktop.org/xdg/xdg-utils/-/archive/${MY_COMMIT}/${P}.tar.bz2";
+ S="${WORKDIR}"/xdg-utils-${MY_COMMIT}
+else
+
SRC_URI="https://gitlab.freedesktop.org/xdg/xdg-utils/-/archive/v${PV}/${PN}-v${PV}.tar.bz2";
+ S="${WORKDIR}"/${PN}-v${PV}
+fi
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv
~s390 ~sparc ~x86 ~arm64-macos"
+IUSE="dbus doc gnome perl plasma X"
+REQUIRED_USE="gnome? ( dbus )"
+
+# dev-perl/File-MimeInfo: mimeopen used by xdg-open
+RDEPEND="
+ dev-util/desktop-file-utils
+ x11-misc/shared-mime-info
+ dbus? (
+ sys-apps/dbus
+ gnome? (
+ dev-perl/Net-DBus
+ dev-perl/X11-Protocol
+ )
+ )
+ perl? ( dev-perl/File-MimeInfo )
+ plasma? ( virtual/pkgconfig )
+ X? (
+ x11-apps/xprop
+ x11-apps/xset
+ )
+"
+PDEPEND="
+ plasma? (
+ dev-qt/qtbase:6
+ kde-frameworks/kservice:6
+ kde-plasma/kde-cli-tools:*
+ )
+"
+BDEPEND="
+ app-alternatives/awk
+ >=app-text/xmlto-0.0.28-r3[text(+)]
+"
+
+# Tests run random system programs, including interactive programs
+# that block forever
+RESTRICT="test"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-xdg-mime-default.patch
+ "${FILESDIR}"/${PN}-1.2.1-qtpaths.patch
+ "${FILESDIR}"/${PN}-1.2.1-fix-CVE-2020-27748.patch
+)
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == *_p* ]] ; then
+ # If you choose to do git snapshot instead of patchset, you
need to remember
+ # to run `autoconf` in ./ and `make scripts-clean` in
./scripts/ to refresh
+ # all the files
+ eautoreconf
+ fi
+}
+
+src_configure() {
+ export ac_cv_path_XMLTO="$(type -P xmlto) --skip-validation" #502166
+ default
+ emake -C scripts scripts-clean
+}
+
+src_install() {
+ default
+
+ dodoc RELEASE_NOTES
+
+ newdoc scripts/xsl/README README.xsl
+ use doc && dodoc -r scripts/html
+
+ # Install default XDG_DATA_DIRS, bug #264647
+ echo XDG_DATA_DIRS=\"${EPREFIX}/usr/local/share\" > 30xdg-data-local ||
die
+ echo 'COLON_SEPARATED="XDG_DATA_DIRS XDG_CONFIG_DIRS"' >>
30xdg-data-local || die
+ doenvd 30xdg-data-local
+
+ echo XDG_DATA_DIRS=\"${EPREFIX}/usr/share\" > 90xdg-data-base || die
+ echo XDG_CONFIG_DIRS=\"${EPREFIX}/etc/xdg\" >> 90xdg-data-base || die
+ doenvd 90xdg-data-base
+}
+
+pkg_postinst() {
+ [[ -x $(type -P gtk-update-icon-cache) ]] \
+ || elog "Install dev-util/gtk-update-icon-cache for the
gtk-update-icon-cache command."
+}
