From aca88908fd329f5cef6f19995b072397fb2d8ec6 Mon Sep 17 00:00:00 2001 From: Stefan Ghinea Date: Tue, 25 May 2021 21:24:58 +0300 Subject: thunar: fix CVE-2021-32563 An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2021-32563 Upstream patches: https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Signed-off-by: Stefan Ghinea Signed-off-by: Khem Raj (cherry picked from commit baa9453d57aa06554c823b5c7bd9c029e1858f89) Signed-off-by: Armin Kuster --- .../thunar/thunar/CVE-2021-32563-1.patch | 97 ++++++++++ .../thunar/thunar/CVE-2021-32563-2.patch | 208 +++++++++++++++++++++ meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb | 4 + 3 files changed, 309 insertions(+) create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch (limited to 'meta-xfce') diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch new file mode 100644 index 0000000000..f942f990bd --- /dev/null +++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch @@ -0,0 +1,97 @@ +From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn +Date: Sat, 1 May 2021 00:40:44 +0200 +Subject: [PATCH 1/2] Dont execute files, passed via command line due to + security risks + +Instead open the containing folder and select the file. + +Fixes #121 + +Upstream-Status: Backport +CVE: CVE-2021-32563 + +Reference to upstream patch: +[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b] + +Signed-off-by: Stefan Ghinea +--- + thunar/thunar-application.c | 25 +++++++++++++++++++++++-- + thunar/thunar-window.c | 4 +--- + thunar/thunar-window.h | 2 ++ + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index df862fd..1243940 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- /* try to open the file or directory */ +- thunar_file_launch (target_file, screen, startup_id, &error); ++ if (thunar_file_is_directory (file)) ++ { ++ thunar_application_open_window (application, file, screen, startup_id, FALSE); ++ } ++ else ++ { ++ /* Note that for security reasons we do not execute files passed via command line */ ++ /* Lets rather open the containing directory and select the file */ ++ ThunarFile *parent = thunar_file_get_parent (file, NULL); ++ ++ if (G_LIKELY (parent != NULL)) ++ { ++ GList* files = NULL; ++ GtkWidget *window; ++ ++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE); ++ g_object_unref (parent); ++ ++ files = g_list_append (files, thunar_file_get_file (file)); ++ thunar_window_select_files (THUNAR_WINDOW (window), files); ++ g_list_free (files); ++ } ++ } + + /* remove the file from the list */ + application->files_to_launch = g_list_delete_link (application->files_to_launch, +diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c +index b330a87..b234fd3 100644 +--- a/thunar/thunar-window.c ++++ b/thunar/thunar-window.c +@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow + GtkWidget *menu); + static void thunar_window_update_help_menu (ThunarWindow *window, + GtkWidget *menu); +-static void thunar_window_select_files (ThunarWindow *window, +- GList *path_list); + static void thunar_window_binding_create (ThunarWindow *window, + gpointer src_object, + const gchar *src_prop, +@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget, + * + * Visually selects the files, given by the list + **/ +-static void ++void + thunar_window_select_files (ThunarWindow *window, + GList *files_to_selected) + { +diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h +index 9cbcc85..3c1aad2 100644 +--- a/thunar/thunar-window.h ++++ b/thunar/thunar-window.h +@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu + GtkMenu *menu); + const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window, + ThunarWindowAction action); ++ void thunar_window_select_files (ThunarWindow *window, ++ GList *path_list); + G_END_DECLS; + + #endif /* !__THUNAR_WINDOW_H__ */ +-- +2.17.1 + diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch new file mode 100644 index 0000000000..a22cdc6d8d --- /dev/null +++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch @@ -0,0 +1,208 @@ +From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn +Date: Fri, 7 May 2021 15:21:27 +0200 +Subject: [PATCH 2/2] Regression: Activating Desktop Icon does not Use Default + Application (Issue #575) + +- Introduced by 9165a61f (Dont execute files, passed via command line +due to security risks) +- Now via DBus files are executed, and via CLI, files are just selected + +Fixes #575 + +Upstream-Status: Backport +CVE: CVE-2021-32563 + +Reference to upstream patch: +[https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664] + +Signed-off-by: Stefan Ghinea +--- + thunar/thunar-application.c | 68 +++++++++++++++++++++--------------- + thunar/thunar-application.h | 9 ++++- + thunar/thunar-dbus-service.c | 2 +- + 3 files changed, 49 insertions(+), 30 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index 1243940..53d0b23 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -182,37 +182,38 @@ struct _ThunarApplicationClass + + struct _ThunarApplication + { +- GtkApplication __parent__; ++ GtkApplication __parent__; + +- ThunarSessionClient *session_client; ++ ThunarSessionClient *session_client; + +- ThunarPreferences *preferences; +- GtkWidget *progress_dialog; ++ ThunarPreferences *preferences; ++ GtkWidget *progress_dialog; + +- ThunarThumbnailCache *thumbnail_cache; +- ThunarThumbnailer *thumbnailer; ++ ThunarThumbnailCache *thumbnail_cache; ++ ThunarThumbnailer *thumbnailer; + +- ThunarDBusService *dbus_service; ++ ThunarDBusService *dbus_service; + +- gboolean daemon; ++ gboolean daemon; + +- guint accel_map_save_id; +- GtkAccelMap *accel_map; ++ guint accel_map_save_id; ++ GtkAccelMap *accel_map; + +- guint show_dialogs_timer_id; ++ guint show_dialogs_timer_id; + + #ifdef HAVE_GUDEV +- GUdevClient *udev_client; ++ GUdevClient *udev_client; + +- GSList *volman_udis; +- guint volman_idle_id; +- guint volman_watch_id; ++ GSList *volman_udis; ++ guint volman_idle_id; ++ guint volman_watch_id; + #endif + +- GList *files_to_launch; ++ GList *files_to_launch; ++ ThunarApplicationProcessAction process_file_action; + +- guint dbus_owner_id_xfce; +- guint dbus_owner_id_fdo; ++ guint dbus_owner_id_xfce; ++ guint dbus_owner_id_fdo; + }; + + +@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application) + * in the primary instance anyways */ + + application->files_to_launch = NULL; ++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES; + application->progress_dialog = NULL; + application->preferences = NULL; + +@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp, + } + else if (filenames != NULL) + { +- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp, + } + else if (!daemon) + { +- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- if (thunar_file_is_directory (file)) ++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES) ++ { ++ /* try to launch the file / open the directory */ ++ thunar_file_launch (target_file, screen, startup_id, &error); ++ } ++ else if (thunar_file_is_directory (file)) + { + thunar_application_open_window (application, file, screen, startup_id, FALSE); + } +@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application) + * @startup_id : startup id to finish startup notification and properly focus the + * window when focus stealing is enabled or %NULL. + * @error : return location for errors or %NULL. ++ * @action : action to invoke on the files + * + * Tells @application to process the given @filenames and launch them appropriately. + * + * Return value: %TRUE on success, %FALSE if @error is set. + **/ + gboolean +-thunar_application_process_filenames (ThunarApplication *application, +- const gchar *working_directory, +- gchar **filenames, +- GdkScreen *screen, +- const gchar *startup_id, +- GError **error) ++thunar_application_process_filenames (ThunarApplication *application, ++ const gchar *working_directory, ++ gchar **filenames, ++ GdkScreen *screen, ++ const gchar *startup_id, ++ GError **error, ++ ThunarApplicationProcessAction action) + { + ThunarFile *file; + GError *derror = NULL; +@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application, + + /* start processing files if we have any to launch */ + if (application->files_to_launch != NULL) +- thunar_application_process_files (application); ++ { ++ application->process_file_action = action; ++ thunar_application_process_files (application); ++ } + + /* free the file list */ + g_list_free (file_list); +diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h +index 547cb70..8c180e8 100644 +--- a/thunar/thunar-application.h ++++ b/thunar/thunar-application.h +@@ -31,6 +31,12 @@ G_BEGIN_DECLS; + typedef struct _ThunarApplicationClass ThunarApplicationClass; + typedef struct _ThunarApplication ThunarApplication; + ++typedef enum ++{ ++ THUNAR_APPLICATION_LAUNCH_FILES, ++ THUNAR_APPLICATION_SELECT_FILES ++} ThunarApplicationProcessAction; ++ + #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ()) + #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication)) + #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass)) +@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli + gchar **filenames, + GdkScreen *screen, + const gchar *startup_id, +- GError **error); ++ GError **error, ++ ThunarApplicationProcessAction action); + + void thunar_application_rename_file (ThunarApplication *application, + ThunarFile *file, +diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c +index 2d27642..4205a2b 100644 +--- a/thunar/thunar-dbus-service.c ++++ b/thunar/thunar-dbus-service.c +@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object, + { + /* let the application process the filenames */ + application = thunar_application_get (); +- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error); ++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES); + g_object_unref (G_OBJECT (application)); + + /* release the screen */ +-- +2.17.1 + diff --git a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb index 128043d19b..7bef08ed95 100644 --- a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb +++ b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb @@ -8,6 +8,10 @@ inherit xfce gobject-introspection features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" +SRC_URI += "file://CVE-2021-32563-1.patch \ + file://CVE-2021-32563-2.patch \ + " + SRC_URI[sha256sum] = "cb531d3fe67196a43ca04979ef271ece7858bbc80c15b0ee4323c1252a1a02b7" PACKAGECONFIG ??= "" -- cgit 1.2.3-korg