Hello community, here is the log from the commit of package xdg-utils checked in at Fri Feb 8 17:17:41 CET 2008. -------- --- xdg-utils/xdg-utils.changes 2007-10-22 14:26:09.000000000 +0200 +++ /mounts/work_src_done/NOARCH/xdg-utils/xdg-utils.changes 2008-02-07 13:14:05.000000000 +0100 @@ -1,0 +2,5 @@ +Thu Feb 7 13:13:48 CET 2008 - dmueller@suse.de + +- fix command injection (#bnc355061, CVE-2008-0386) + +------------------------------------------------------------------- New: ---- CVE-2008-0386.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xdg-utils.spec ++++++ --- /var/tmp/diff_new_pack.gr7473/_old 2008-02-08 17:15:21.000000000 +0100 +++ /var/tmp/diff_new_pack.gr7473/_new 2008-02-08 17:15:21.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package xdg-utils (Version 1.0.2) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -11,18 +11,19 @@ # norootforbuild Name: xdg-utils -BuildRequires: make xmlto +BuildRequires: make License: X11/MIT Group: System/GUI/Other Summary: Utilities to uniformly interface desktop environments Version: 1.0.2 -Release: 1 +Release: 36 BuildArch: noarch Url: http://portland.freedesktop.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: %name-%{version}.tar.bz2 Patch0: xdg-su.diff Patch1: xfce-su.diff +Patch2: CVE-2008-0386.diff %description The xdg-utils package is a set of simple scripts that provide basic @@ -45,6 +46,7 @@ %setup -q -n %name-%{version} %patch0 %patch1 +%patch2 %build %configure @@ -80,29 +82,32 @@ %{_mandir}/man1/xdg-open.1.gz %{_mandir}/man1/xdg-su.1.gz %{_mandir}/man1/xdg-screensaver.1.gz + %changelog -* Mon Oct 22 2007 - stbinner@suse.de +* Thu Feb 07 2008 dmueller@suse.de +- fix command injection (#bnc355061, CVE-2008-0386) +* Mon Oct 22 2007 stbinner@suse.de - update to 1.0.2: * SVG icons are not supported but doc still mentioned SVG * xdg-email can now be used without any e-mail address * do not use mktemp without arguments, it breaks on systems with certain older versions of mktemp -* Thu Sep 20 2007 - dmueller@suse.de +* Thu Sep 20 2007 dmueller@suse.de - fix xdg-su outside KDE/GNOME (#309164) -* Thu Aug 30 2007 - dmueller@suse.de +* Thu Aug 30 2007 dmueller@suse.de - fix xdg-su for XFCE (#304753) -* Tue May 22 2007 - dmueller@suse.de +* Tue May 22 2007 dmueller@suse.de - add xdg-su (#275937) -* Mon Nov 06 2006 - dmueller@suse.de +* Mon Nov 06 2006 dmueller@suse.de - update to 1.0.1: * Several shell syntax issues causing failures on Ubuntu 6.10 * Spurious output on stdout when running xdg-desktop-menu * Non-ascii mailto URI handling of xdg-email on non-UTF8 locales under KDE -* Fri Oct 27 2006 - dmueller@suse.de +* Fri Oct 27 2006 dmueller@suse.de - don't build as root -* Wed Sep 27 2006 - dmueller@suse.de +* Wed Sep 27 2006 dmueller@suse.de - update to 1.0rc1: * for changes, see /usr/share/doc/packages/xdg-utils/ChangeLog -* Thu Jun 22 2006 - dmueller@suse.de +* Thu Jun 22 2006 dmueller@suse.de - Initial package (TP1) ++++++ CVE-2008-0386.diff ++++++ --- scripts/xdg-open +++ scripts/xdg-open @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash #--------------------------------------------- # xdg-open # @@ -382,7 +382,8 @@ open_generic() for browser in $BROWSER; do if [ x"$browser" != x"" ]; then - browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` + IFS=' ' + browser_with_arg=${browser//'%s'/"$1"} if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; else $browser_with_arg; --- scripts/xdg-email +++ scripts/xdg-email @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash #--------------------------------------------- # xdg-email # @@ -435,7 +435,8 @@ open_generic() for browser in $BROWSER; do if [ x"$browser" != x"" ]; then - browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` + IFS=' ' + browser_with_arg=${browser//'%s'/"$1"} if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; else $browser_with_arg; @@ -495,7 +496,7 @@ while [ $# -gt 0 ] ; do exit_failure_syntax "email address argument missing for --to" fi url_encode "$1" - options="${options}to=${result}&" + options="${options}to=${result}&" shift ;; @@ -531,7 +532,7 @@ while [ $# -gt 0 ] ; do exit_failure_syntax "text argument missing for --body option" fi url_encode "$1" - options="${options}body=${result}&" + options="${options}body=${result}&" shift ;; @@ -575,7 +576,7 @@ done if [ -z "${mailto}" ] ; then # TO address is optional - mailto="mailto:?" + mailto="mailto:?" fi case $mailto in ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org