Version in base suite: 4.16.0-1

Base version: xfce4-settings_4.16.0-1
Target version: xfce4-settings_4.16.0-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xfce4-settings/xfce4-settings_4.16.0-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xfce4-settings/xfce4-settings_4.16.0-1+deb11u1.dsc

 changelog                                                          |   10 +
 gbp.conf                                                           |    2 
 patches/0002-mime-settings-Properly-quote-command-parameters.patch |   59 ++++++++++
 patches/series                                                     |    1 
 4 files changed, 71 insertions(+), 1 deletion(-)

diff -Nru xfce4-settings-4.16.0/debian/changelog xfce4-settings-4.16.0/debian/changelog
--- xfce4-settings-4.16.0/debian/changelog	2020-12-23 12:43:58.000000000 +0000
+++ xfce4-settings-4.16.0/debian/changelog	2022-12-03 12:50:21.000000000 +0000
@@ -1,3 +1,13 @@
+xfce4-settings (4.16.0-1+deb11u1) bullseye-security; urgency=medium
+
+  * d/gbp.conf: follow bullseye-security branch.
+    Gbp-dch: ignore
+  * d/patches: 0002-mime-settings-Properly-quote-command-parameters added.
+    Fix argument injection in xfce4-mime-helper (CVE-2022-45062)
+    (Closes: #1023732)
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Sat, 03 Dec 2022 13:50:21 +0100
+
 xfce4-settings (4.16.0-1) unstable; urgency=medium
 
   * New upstream version 4.16.0
diff -Nru xfce4-settings-4.16.0/debian/gbp.conf xfce4-settings-4.16.0/debian/gbp.conf
--- xfce4-settings-4.16.0/debian/gbp.conf	2020-12-23 12:43:58.000000000 +0000
+++ xfce4-settings-4.16.0/debian/gbp.conf	2022-12-03 12:50:21.000000000 +0000
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bullseye-security
 upstream-branch = upstream/latest
diff -Nru xfce4-settings-4.16.0/debian/patches/0002-mime-settings-Properly-quote-command-parameters.patch xfce4-settings-4.16.0/debian/patches/0002-mime-settings-Properly-quote-command-parameters.patch
--- xfce4-settings-4.16.0/debian/patches/0002-mime-settings-Properly-quote-command-parameters.patch	1970-01-01 00:00:00.000000000 +0000
+++ xfce4-settings-4.16.0/debian/patches/0002-mime-settings-Properly-quote-command-parameters.patch	2022-12-03 12:50:21.000000000 +0000
@@ -0,0 +1,59 @@
+From: =?utf-8?q?Ga=C3=ABl_Bonithon?= <gael@xfce.org>
+Date: Sat, 12 Nov 2022 22:27:36 +0100
+Subject: mime-settings: Properly quote command parameters
+
+Fixes: #390
+MR: !85
+---
+ dialogs/mime-settings/xfce-mime-helper.c | 37 +++++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c
+index 47aeeb4..2f9d082 100644
+--- a/dialogs/mime-settings/xfce-mime-helper.c
++++ b/dialogs/mime-settings/xfce-mime-helper.c
+@@ -413,8 +413,43 @@ xfce_mime_helper_execute (XfceMimeHelper   *helper,
+       /* reset the error */
+       g_clear_error (&err);
+ 
++      /* prepare the command */
++      if (exo_str_is_empty (real_parameter))
++        command = g_strdup (commands[n]);
++      else
++        {
++          /* split command into "quoted"/unquoted parts */
++          gchar **cmd_parts = g_regex_split_simple ("(\"[^\"]*\")", commands[n], 0, 0);
++
++          /* walk the part array */
++          for (gchar **cmd_part = cmd_parts; *cmd_part != NULL; cmd_part++)
++            {
++              /* quoted part: unquote it, replace %s and re-quote it properly */
++              if (g_str_has_prefix (*cmd_part, "\"") && g_str_has_suffix (*cmd_part, "\""))
++                {
++                  gchar *unquoted = g_strndup (*cmd_part + 1, strlen (*cmd_part) - 2);
++                  gchar *filled = exo_str_replace (unquoted, "%s", real_parameter);
++                  gchar *quoted = g_shell_quote (filled);
++                  g_free (filled);
++                  g_free (unquoted);
++                  g_free (*cmd_part);
++                  *cmd_part = quoted;
++                }
++              /* unquoted part: just replace %s */
++              else
++                {
++                  gchar *filled = exo_str_replace (*cmd_part, "%s", real_parameter);
++                  g_free (*cmd_part);
++                  *cmd_part = filled;
++                }
++            }
++
++          /* join parts to reconstitute the command, filled and quoted */
++          command = g_strjoinv (NULL, cmd_parts);
++          g_strfreev (cmd_parts);
++        }
++
+       /* parse the command */
+-      command = !exo_str_is_empty (real_parameter) ? exo_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
+       succeed = g_shell_parse_argv (command, NULL, &argv, &err);
+       g_free (command);
+ 
diff -Nru xfce4-settings-4.16.0/debian/patches/series xfce4-settings-4.16.0/debian/patches/series
--- xfce4-settings-4.16.0/debian/patches/series	2020-12-23 12:43:58.000000000 +0000
+++ xfce4-settings-4.16.0/debian/patches/series	2022-12-03 12:50:21.000000000 +0000
@@ -1 +1,2 @@
 01_use-tango-icon-theme.patch
+0002-mime-settings-Properly-quote-command-parameters.patch